# 7.0.0-beta1 10/25/2022 * Feature #120: Capture full session on alert * Feature #1096: tls: client certificate handling * Feature #1369: eve: json schema * Feature #1478: Active flow counters * Feature #1576: http: byte-range support * Feature #2054: Extracting HTTPS URL´s from SMTP, currently only HTTP is supported * Feature #2096: eve: event_type for MODBUS * Bug #2190: apparent 1000 character limit in threshold.conf IP lists * Feature #2323: Applayer support for telnet * Optimization #2405: files: Use FileTruncateAllOpenFiles for every app layer protocol * Feature #2450: lua: scripts access to calling rule informations * Bug #2510: Suricata doesnt decompress HTTP Post body * Feature #2697: prefilter support for stream_size * Bug #2802: iprep: use_cnt can get desynchronized (SIGABRT) * Bug #2809: Applayer Mismatch protocol both directions for kerberos AS-REQ/KDC_ERR_PREAUTH_REQUIRED exchange * Feature #3002: Flow and Netflow Not Logging ESP Traffic * Documentation #3017: No documentation for "rawbytes" keyword * Documentation #3029: No documentation for "dcerpc" keywords * Documentation #3030: doc: document for "smb" keywords * Bug #3109: dcerpc engine not generating alerts * Task #3194: pcre2 support * Bug #3235: Makefile:936: recipe for target 'install-rules' failed * Feature #3285: rules: XOR keyword * Feature #3292: support for network service header (NSH) * Optimization #3315: app-layer: unify registration logic * Bug #3419: af-packet: cluster_id is not used when trying to set fanout support * Bug #3432: python: ensure proper shabang on python scripts * Feature #3440: Add GQUIC Protocol Analysis and CYU Fingerprinting * Bug #3475: SMB evasion against EICAR file detection * Feature #3512: stream depth event rule * Bug #3542: FTP: expectation created in wrong direction. * Optimization #3658: Use WARN_UNUSED for ByteExtract* functions * Bug #3685: Incorrect logging level for messages * Feature #3701: eve: add tenant_id in eve-log for other types than alert * Bug #3703: fileinfo "stored: false" even if the file is kept on disk * Feature #3767: Add IKEv1 parser * Optimization #3825: Defining only one basic rust Files structure * Optimization #3832: rust: Make core::* as enum to improve readability * Bug #3846: Infinite loop if the sniffing interface temporarily goes down * Feature #3887: yaml: Increase maximum size for address vars * Task #3905: GitHub CI: use sccache for commits build * Feature #3957: Convert protocol to Rust: Modbus * Bug #3995: SIGABRT stream-tcp-reassemble * Bug #3996: SIGABRT: SMTPTransactionComplete * Task #4021: Convert unittests to new FAIL/PASS API - detect-dsize.c * Task #4024: Convert unittests to new FAIL/PASS API: detect-engine.c * Task #4025: Convert unittests to new FAIL/PASS API: detect-engine-event.c * Task #4026: Convert unittests to new FAIL/PASS API: detect-engine-payload.c * Task #4027: Convert unittests to new FAIL/PASS API: detect-engine-proto.c * Task #4028: Convert unittests to new FAIL/PASS API: detect-engine-siggroup.c * Task #4031: Convert unittests to new FAIL/PASS API: detect-fast-pattern.c * Task #4032: Convert unittests to new FAIL/PASS API: detect-file-data.c * Task #4033: Convert unittests to new FAIL/PASS API: detect-fileext.c * Task #4034: Convert unittests to new FAIL/PASS API: detect-filemagic.c * Task #4035: Convert unittests to new FAIL/PASS API: detect-filemd5.c * Task #4036: Convert unittests to new FAIL/PASS API: detect-filename.c * Task #4037: Convert unittests to new FAIL/PASS API: detect-filesha1.c * Task #4038: Convert unittests to new FAIL/PASS API: detect-filesha256.c * Task #4040: Convert unittests to new FAIL/PASS API: detect-fragoffset.c * Task #4041: Convert unittests to new FAIL/PASS API: detect-gid.c * Task #4045: Convert unittests to new FAIL/PASS API: detect-icode.c * Task #4046: Convert unittests to new FAIL/PASS API: detect-id.c * Task #4047: Convert unittests to new FAIL/PASS API: detect-ipopts.c * Task #4048: Convert unittests to new FAIL/PASS API: detect-iprep.c * Task #4052: Convert unittests to new FAIL/PASS API: detect-mark.c * Task #4053: Convert unittests to new FAIL/PASS API: detect-msg.c * Task #4055: Convert unittests to new FAIL/PASS API: detect-rfb-secresult.c * Task #4056: Convert unittests to new FAIL/PASS API: detect-rpc.c * Task #4057: Convert unittests to new FAIL/PASS API: detect-sameip.c * Task #4058: Convert unittests to new FAIL/PASS API: detect-sid.c * Optimization #4066: Add a PASS_IF_NULL macro to the FAIL/PASS API * Bug #4080: DCERPCUDPState handle fragmented data functions pegging certain CPU cores/threads * Bug #4096: flow manager: 200% CPU in KVM host with no activity with Suricata 6 * Bug #4106: Duplicate TLS subjects in tls metadata. * Optimization #4112: Use generic rust DetectU32Data in every keyword needing this * Feature #4116: http2: body compression handling * Feature #4117: http2: byte-range support * Optimization #4126: Threaded eve logging for output types other than regular file (socket, plugins, redis etc) * Feature #4142: file.data: support for NFS * Feature #4144: file.data: support for request side files in HTTP * Bug #4152: fatal error: 'gnu/stubs-32.h' file not found * Optimization #4154: Rust Parsers: Abstract AppLayer events to a derive macro * Task #4157: deprecation: remove dns eve v1 logging (May 2022) * Bug #4171: Failed assert in TCPProtoDetectCheckBailConditions size_ts > 1000000UL * Task #4182: lua: Use lua_pushinteger for pushing integer types as integers instead of floats * Bug #4187: rs_dcerpc_udp_get_tx takes out unusual amount of CPU * Bug #4198: dcerpc: no alert triggered with dce opnum in 6.0 * Bug #4199: Transformation keyword can’t trigger an alert * Bug #4202: Wrong stream side after direction change * Bug #4205: eve: Memory leak from jsonbuilder in @MetadataJson@ * Bug #4206: dns: output flags not set correctly on 32 bit systems * Optimization #4207: Use configurable or more dynamic @ PACKET_ALERT_MAX@ * Bug #4208: Suricata crashes with multi-threaded eve logger and HTTP/2 traffic * Bug #4210: Alert not generated with 2 rules - http.request body (alone) and http.request_body/url_decode * Bug #4211: Not all manpages are built by docs Makefile * Bug #4216: 5.0.5 in socket mode crashes when using file-store due to uninitialized stats_ctx * Task #4221: Build Suricata into a static and shared library * Bug #4224: modbus: Request flood leads to CPU exhaustion * Bug #4225: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode * Bug #4228: tcp/async: incorrect flagging of ACK values as invalid * Bug #4231: ICMPv6 failed assert p->icmpv6h == NULL with icmpv6.hdr * Bug #4232: Protocol detection evasion enip-SMB * Bug #4233: ssl : Integer underflow in ssl parsing SSLV3_HANDSHAKE_PROTOCOL * Bug #4238: tcp/fastopen: false positive on "invalid option" * Bug #4239: dataset file not written when run as user * Feature #4241: Protocol support: PostgreSQL (pgsql) * Bug #4245: SMTP/Email Body md5: Only logs the md5 of the first part in a multi-part mime message * Bug #4246: Assertion failed in AdjustToAcked delta > 10000000ULL && delta > stream->window * Bug #4247: detect: NOOPT flag not enforced correctly * Bug #4253: lua: flowint/flowvar API naming consistency * Bug #4254: Leak in signature parsing with urilen * Bug #4258: ftp-data: support for file.name keyword is incomplete * Bug #4261: Mismatch between capture and outputs in rules leads to seg fault * Bug #4262: ebpf: llc detection failure * Bug #4267: output: don't use /etc/protocols * Bug #4271: datasets: reference counter issue in string lookup * Bug #4272: Timeout in libhtp with lzma in gzip to be decompressed in many responses * Bug #4273: protodetect: SEGV due to NULL ptr deref * Bug #4274: Suricata crashes at exit in NFQ mode * Bug #4275: Datasets writing limits on exit * Bug #4277: SIGABRT: rust panic HTTP2State * Bug #4280: Suricata is not fully reading or loading the iprep files * Optimization #4319: dcerpc: improve protocol detection * Bug #4320: Heap use after free in parsing signatures with ip_proto and prefilter * Bug #4331: libhtp: don't put stream in error state on compression issues * Feature #4332: Makes libhtp decompression time limit configurable from Suricata * Bug #4335: Stack-buffer-overflow READ 4 in SetupU8Hash * Bug #4348: ftp: "g_expectation_data_id" and "g_expectation_id" in AppLayerExpectationHandle function * Bug #4361: detect: file.data performance regression * Optimization #4366: decoder: limit number of decoding layers * Bug #4369: Configuration test mode succeeds when threshold.config file contains invalid content * Optimization #4371: Sphinx Warning about deprecated function * Bug #4375: segv in ApplyToU8Hash * Bug #4376: TCP flow that retransmits the SYN with a newer TSval not properly tracked * Bug #4379: flow manager: using too much CPU during idle * Feature #4386: Support for RFC2231 * Bug #4387: Heap-use-after-free READ 8 · JsonDNP3LoggerToClient * Bug #4388: Protocol detection evasion enip-dns * Bug #4389: Protocol detection tls-dcerpc * Bug #4394: detect: "drop" on protocol detect only rule doesn't drop flow * Bug #4395: Incorrect AppLayerResult::incomplete for RDP * Documentation #4396: Devguide: Transactions and State overview * Bug #4397: eve.drop: alerts option logs lowest priority alert * Bug #4400: Panic in Rust HTTP2 dynamic headers table eviction * Bug #4401: Quadratic complexity in libhtp chunk parsing * Bug #4403: Use after free or read overflow or use of unitized memory in TransformStripWhitespace called by HttpServerBodyXformsGetDataCallback * Bug #4404: eve/mqtt: mqtt logging crashes when eve is multithreaded * Feature #4406: unix socket: Get flow information by flow_id * Bug #4407: threshold: slow startup on threshold.config with many addresses in suppression * Bug #4424: ftp: Memory leak with duplicate FTP expectation * Bug #4425: threaded eve: files not closed on deinitialization * Optimization #4427: storage api: use dedicated 'id' type * Bug #4428: Rust panic in suricata::dcerpc::detect::handle_input_data (buffer overread) * Bug #4433: Debug assert failed in ikev1 logger * Bug #4434: Duplicate alert record in eve log when using unix-socket mode * Bug #4436: Buffer overread in SMTP SMTPParseCommandBDAT * Bug #4437: dns: high resource usage on long lived dns connections * Bug #4438: Null-dereference in HTTP2MimicHttp1Request in midstream * Bug #4439: eve: log alert direction * Bug #4440: eve: log if flow had gap * Bug #4442: build: Build failure on FreeBSD * Task #4444: files: store files in transactions instead of per flow state * Task #4446: pcre2: document changes vs prce1 for rule writers * Bug #4447: ipv6 & ftp & passive mode & error * Bug #4448: Properly set the ICMP emergency-bypassed value * Bug #4472: YAML -- interpretation of "~" (tilde) * Bug #4473: Timeout in ftp parsing rs_ftp_active_eprt * Optimization #4475: Rust: Make default_port in parser registration an Option * Bug #4476: heap-buffer-overflow WRITE in InspectionBufferSetup with use of InspectionBufferGetMulti * Bug #4477: Infinite loops in when using InspectionBufferMultipleForList * Bug #4478: freebsd: lockups due to mutex handling issues * Task #4480: Packaging/RPM: Remove engine provided rules from /etc/suricata/rules * Bug #4491: rules: rules w/o sid accepted, leading to alerts with signature_id: 0 * Bug #4494: Failed assertion in HTTP2 decompression * Bug #4495: output: threaded output coverity warning * Optimization #4496: decode: remove NULL checks after header casts * Optimization #4497: rust: clean up constructors of state, transaction structs * Feature #4498: decoder: add VN-Tag support * Bug #4502: TCP reassembly memuse approaching memcap value results in TCP detection being stopped * Bug #4503: Buffer overflow in "by_rule" threshold context * Security #4504: tcp: Evasion possibility on wrong/unexpected ACK value in crafted SYN packets * Bug #4505: Rust panic while parsing (new rust) modbus rule * Feature #4507: dpdk: initial support for IDS and IPS modes * Bug #4508: SSH bypass is not working * Bug #4509: Incorrect flags in Rust * Feature #4515: Add DNS logging of Z flag * Bug #4516: Integer overflows * Bug #4523: Application log cannot to be re-opened when running as non-root user * Bug #4525: segv with --set cmdline option if incorrect key is provided * Feature #4526: SIGSEGV handling -- log stack before aborting * Bug #4527: Fix implicit conversions in traffic facing source code modules * Bug #4528: Fix implicit conversions in detection modules * Bug #4530: DOS Quadratic complexity when having too many transactions * Bug #4533: Rust modbus parser does not handle gaps as it claims * Bug #4534: Timeout in ikev2 parsing * Bug #4536: SWF decompression overread * Bug #4537: alert count shows up as 0 when stats are disabled * Bug #4540: unused variables warnings on Windows compiles with rust * Feature #4541: netmap: new API version (14) supports multi-ring software mode * Bug #4549: TCP reassembly, failed assert app_progress > last_ack_abs, both sides need to be pruned * Feature #4550: pthreads: set minimum stack size * Feature #4551: eve: add direct base64 to json option to json builder * Optimization #4555: HTTP2: what to do when HTTP upgrade is requested and HTTP2 is disabled ? * Feature #4556: HTTP2: support deflate decompression * Bug #4558: DNP3: intra structure overflow in DNP3DecodeObjectG70V6 * Bug #4560: Quadratic complexity in HTTP2 gzip decompression * Bug #4561: Failed assertion in SMTP SMTPTransactionComplete * Bug #4562: Memory leak in Protocol change during protocol detection * Bug #4563: Rules based on SSH banner-related keywords only match on acked data * Security #4569: tcp: crafted injected packets cause desync after 3whs * Bug #4570: eve/flow: many flows logged with reason==unknown * Bug #4577: coverity: minor warnings * Bug #4581: Excessive qsort/msort time when large number of rules using tls.fingerprint * Bug #4582: BUG_ON triggered from TmThreadsInjectFlowById * Bug #4586: segmentfault when reopen redis * Documentation #4590: DevGuide: add page about how to go from pcap to unittests and when to go with Suricata Verify tests * Optimization #4593: Fix warning about "mixed case hex literals" * Optimization #4595: Fix warning about "comparing with null" * Optimization #4597: Fix warning about "enum's name" * Optimization #4599: Fix warning about "ptr_arg" * Optimization #4604: Fix warning about "branches sharing code" * Optimization #4605: Fix warning about "unnecessary nested match" * Optimization #4609: Fix warning about "if same then else" * Optimization #4613: Fix warning about "large enum variant" * Optimization #4616: Fix warning about "match single binding" * Optimization #4618: Fix warning about "inherent to string" * Bug #4619: HTTP2 null dereference in upgrade * Bug #4620: Protocol detection : confusion with SMB in midstream * Bug #4621: rust panic: when using smb stream-depth * Bug #4622: File deletions over SMB are not always logged * Bug #4650: Stream TCP raw reassembly is leaking * Optimization #4653: Flow cleaning with chunked approach is memory hungry * Bug #4654: tcp: insert_data_normal_fail can hit without triggering memcap * Bug #4659: Configuration test mode succeeds when reference.config file contains invalid content * Bug #4663: rules: drop rules with noalert not fully dropping * Bug #4664: ipv6 evasions : fragmentation * Bug #4666: http: ipv6 address is a valid host * Task #4667: libhtp 0.5.39 * Task #4668: Remove Prelude output * Bug #4670: rules: mix of drop and pass rules issues * Documentation #4671: Document changes to HTTP events with respect to http/http2 normalization * Bug #4679: IPv6 : decoder event on invalid fragment length * Bug #4680: nfs: failed assert self.tx_data.files_logged > 1 * Bug #4681: Wrong list_id with transforms for http_client_body and http file_data * Bug #4685: detect: too many prefilter engines lead to FNs * Bug #4692: lua: file info callback returns wrong value * Bug #4699: coverity warnings after output changes * Security #4710: tcp: Bypass of Payload Detection on TCP RST with options of MD5header * Optimization #4711: Clang 14 and rust nightly new warnings * Bug #4719: http2: byte-range test fails intermittently * Bug #4720: pcre2: ASAN heap-buffer-overflow * Task #4721: http2: enable by default * Bug #4722: flows: TCP flow timeout handling stuck if there is no traffic * Bug #4724: pcre2: scan-build warning * Documentation #4725: Inconsistent "needs" key documentation for Lua functions * Bug #4731: flows: spare pool not freeing flows aggressively enough * Bug #4737: ubsan: bytejump warning * Bug #4739: Absent app-layer protocol is always enabled by default * Bug #4741: Quadratic complexity in modus due to missing tx_iterator * Optimization #4748: app-layer/rust: explore if tx iterator can be implemented as a trait * Bug #4752: Memory leak in SNMP with DetectEngineState * Bug #4754: Invalid range leads to OOM * Bug #4757: Incomplete range with overlap, and expected new bytes, lead to incomplete reassembly * Bug #4764: range: no validity check with HTTP2 leads to over allocation * Bug #4765: loopback: different AF_INET6 values per OS * Bug #4766: Flow leaked when flow->use_cnt access race happens * Bug #4767: Rule error in SMB dce_iface and dce_opnum keywords * Bug #4769: dcerpc dce_iface just match a packet * Bug #4771: pcrexform: does not capture substring but whole match * Bug #4778: flow/bypass: app-layer/stream resources not freed when bypass activated * Bug #4779: flow/bypass: flow worker not performing flow timeout "housekeeping" * Task #4784: config: add suricata version as a comment to the top of the configuration file * Bug #4785: af-packet: threads sometimes get stuck in capture * Optimization #4795: Remove PASS_IF macro from the FAIL/PASS API * Task #4796: af-packet: remove non-mmap tpacket-v1 support * Bug #4800: af-packet: flag colision between kernel and Suricata * Bug #4801: af-packet: tpacket v3 socket reference handling broken * Bug #4803: af-packet: up/down logic leaks resources in autofp (tpacket v2) * Bug #4804: af-packet: tpacket v3 if/down logic broken * Optimization #4805: af-packet: move vlan hdr insert logic to capture/decode * Bug #4807: packetpool: packets in pool may have capture method ReleasePacket callbacks set * Bug #4808: flow: worker-evicted flows need to be processed quicker * Bug #4810: pppoe decoder fails when protocol identity field is only 1 byte * Bug #4811: Range: memory leak from HTTP2 * Bug #4812: conf: quadratic complexity * Bug #4817: smtp: smtp transaction not logged if no email is present * Bug #4828: flow: flows not evicted & freed in time * Bug #4836: profiling: Invalid performance counter when using sampling * Bug #4839: Memory leak with signature using file_data and NFS * Bug #4842: smb: excessive memory use during file transfer * Bug #4848: TFTP: memory leak due to missing detect state * Bug #4849: protodetect: SMB vs TLS protocol detection in midstream * Security #4857: ftp: SEGV at flow cleanup due to protocol confusion * Bug #4859: dnp3: buffer over read in logging base64 empty objects * Bug #4860: eve.json remove app-layer specific fields from root object * Bug #4862: MQTT : transactions are never cleaned by AppLayerParserTransactionsCleanup * Task #4866: rust/nfs/*: add unit tests * Feature #4872: nfs: add stream app-layer frame support * Bug #4877: Run stream reassembly on both directions upon receiving a FIN packet * Bug #4882: Netmap configuration -- need a configuration option for non-standard library locations. * Optimization #4907: smtp: use AppLayerResult instead of buffering wherever possible * Task #4909: devguide: move into userguide as last chapter * Task #4912: Update default rule path to /var/lib/suricata/rules. * Task #4915: transversal: update references to suricata webpage * Bug #4920: detect/app-layer-protocol: app-layer-protocol:http broken * Bug #4924: dns: transaction not created when z-bit set * Bug #4935: DPDK: Packet counters set incorrectly * Bug #4941: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit * Optimization #4943: alerts: use alert queing in DetectEngineThreadCtx * Bug #4945: smb: excessive CPU utilization and higher packet processing latency due to excessive calls to Vec::extend_from_slice() * Bug #4947: suricatasc loop if recv returns no data * Bug #4948: SMTP assertion triggered * Documentation #4949: userguide: add explanation on max-streams in the suricata.yaml page * Bug #4953: stream: too aggressive pruning in lossy streams * Task #4966: tracking: QUIC protocol support * Feature #4967: QUIC v1 support * Bug #4969: Libhtp timeout lzma reallocing dictionary * Task #4970: libhtp 0.5.40 * Bug #4972: Null deference in ConfigApplyTx * Feature #4983: frames: support UDP * Feature #4984: dns: add frames support * Optimization #4991: pgsql: convert parser to nom7 functions * Task #4992: dcerpc: convert parser to nom7 functions * Task #4993: asn1: convert parser to nom7 functions * Task #4994: ike: convert parser to nom7 functions * Task #4995: snmp: convert parser to nom7 functions * Task #4996: rdp: convert parser to nom7 functions * Task #4997: mime: convert parser to nom7 functions * Task #4998: krb: convert parser to nom7 functions * Task #4999: ntp: convert parser to nom7 functions * Task #5000: rfb: convert parser to nom7 functions * Task #5001: x509: convert parser to nom7 functions * Task #5002: applayertemplate: convert parser to nom7 functions * Bug #5007: pgsql: coverity warning * Bug #5009: dpdk: fails to compile on ubuntu 22.04 * Bug #5011: frames: buffer overread in SigValidate * Bug #5016: pgsql: fix possible unsigned integer overflow * Bug #5018: MQTT can return AppLayerResult::incomplete forever and buffer forever * Bug #5019: dataset: error with space in rule language * Security #5023: smtp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input * Security #5024: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input * Bug #5034: dns: probing/parser can return error when it should return incomplete * Feature #5036: sip: add frames support * Bug #5040: stats: add app-layer error counters * Bug #5046: Documentation copyright years are invalid * Bug #5065: frames: coverity warning * Bug #5066: detect/iponly: mixing netblocks can lead to FN/FP * Bug #5070: Stacktrace logger should propagate original signal * Bug #5073: Off-by-one in flow-manager flow_hash row allocation * Bug #5077: byte_math rule options need to be in order or will fail otherwise * Bug #5079: swf: coverity warning * Bug #5080: eve/dnp3: coverity warnings for string handling * Bug #5081: detect/iponly: rule parsing does not always apply netmask correctly * Bug #5084: iprep: cidr support can set up radix incorrectly * Bug #5085: defrag: policy config can setup radix incorrectly * Bug #5086: htp: server personality radix handling issue * Bug #5093: rust/proc-macro-crate: pin to old version to support our MSRV * Bug #5094: output: timestamp missing usecs on Arm 32bit + Musl * Documentation #5130: doc: add flowbits ORing doc * Bug #5132: segfault: master - HTPFileCloseHandleRange * Task #5143: QUIC: support JA3 * Bug #5144: Failed assert DeStateSearchState * Bug #5145: nfs: Integer underflow in NFS * Bug #5146: libhtp: does not handle 100 continue if there is a 0 Content Length * Bug #5147: frames: debug assertion on SMB2 traffic * Bug #5162: inspection of smb traffic without smb/dcerpc doesn't work correct. * Task #5166: quic: Support older versions like Q039 and Q043 * Bug #5168: detect/iponly: non-cidr netmask settings can lead incorrect detection * Bug #5174: MIME URL extraction creates invalid url in JSON * Task #5175: nfs4: Improve compound record parsers * Task #5179: stats/alert: log out to stats alerts that have been discarded from packet queue * Bug #5183: TLS Handshake Fragments not Reassembled * Security #5187: Rust regex crate security advisory CVE-2022-24713 * Bug #5188: SSL : over allocation for certificates * Feature #5190: new tls.random keyword * Feature #5191: new keyword for self signed certificates * Bug #5197: fast_pattern assignment of specific content results in FN * Bug #5200: libbpf: Use of legacy code in eBPF/XDP programs * Bug #5201: content:"22 2 22"; is parsed without error * Feature #5202: eve/drop: include drop "reason" * Bug #5208: DCERPC protocol detection when nested in SMB * Feature #5214: ips: allow dropping of flow if stream.memcap is hit * Feature #5215: ips: allow dropping of flow if stream.reassembly.memcap is hit * Feature #5216: ips: allow dropping of flow if flow.memcap is hit * Feature #5218: ips: allow dropping of flow if applayer reaches error state * Bug #5222: SSH built-in rules are not included in the source tarball * Bug #5223: base64_decode does not populate base64_data buffer once hitting non-base64 chars * Bug #5226: Frames: failed assertion !((int64_t)data_len > frame->len) * Bug #5228: pcre2: SEGV during rule loading * Optimization #5229: rules: too much time spent in SigMatchListSMBelongsTo at startup * Optimization #5230: rules: too much time spent in DetectUnregisterThreadCtxFuncs due to pcre2 * Optimization #5231: rules: mpm setup more costly than needed * Optimization #5232: rules: pattern id assignment is too slow * Bug #5236: frame: buffer over read in SCACSearch * Security #5237: nfs: arbitrary allocation from nfs4_res_secinfo_no_name * Bug #5238: frame: memory leak in signature parsing * Security #5243: protocol detection: exploitable type confusion due to concurrent protocol changes * Security #5244: Infinite loop in JsonFTPLogger * Bug #5246: smb: integer underflows and overflows * Bug #5248: flow: double unlock in tcp reuse case * Bug #5259: rust: update time dependency * Bug #5260: rust: update regex dependency * Bug #5268: mqtt: integer underflow with truncated * Bug #5271: app-layer: timeout when removing many transactions from the beginning * Bug #5276: eve: payload field randomly missing even if the packet field is present * Bug #5277: dns: More efficient transaction handling * Bug #5278: app-layer: Allow for non slice based transaction containers in generate get iterator (rust) * Bug #5280: nfs: ASSERT: attempt to subtract with overflow (compound) * Bug #5281: ftp: don't let first incomplete segment be over maximum length * Bug #5285: frame: assertion failed in PrefilterMpmFrame * Bug #5291: cppcheck: various static analyzer "warning"s * Bug #5294: mqtt: convert to vecdeque * Bug #5295: rdp: convert transaction list to vecdeque * Bug #5296: http2: convert transaction list to vecdeque * Bug #5297: pgsql: convert transaction list to vecdeque * Bug #5298: template (rust): convert transaction list to vecdeque * Bug #5306: dcerpc: unsigned integer overflow in parse_dcerpc_bindack * Bug #5308: file handling: avoid toctou race conditions * Bug #5309: CIDR prefix calculation fails on big endian archs * Bug #5310: detect: several potential infinite loops by comparing u16 to size_t * Bug #5312: test failure on Ubuntu 22.04 with GCC 12 * Bug #5313: python: distutils deprecation warning * Bug #5314: ftp: quadratic complexity for tx iterator with linked list * Bug #5315: decode/mime: base64 decoding for data with spaces is broken * Bug #5316: smtp: PreProcessCommands does not handle all the edge cases * Bug #5317: flow manager: end of flow counters not working * Task #5319: add `alert-queue-expand-fails` command-line option * Bug #5321: dcerpc: More efficient transaction handling * Bug #5327: track by_rule|by_both incorrectly rejected for global thresholds * Bug #5329: rust: inconsistency between rust structure RustParser and C structure AppLayerParser * Bug #5330: flow: vlan.use-for-tracking is not used for ICMPv4 * Bug #5331: stacktrace-on-signal: Kills all processes in the same process group * Bug #5353: detect/alert: fix segvfault when incrementing discarded alerts if alert-queue-expand fails * Bug #5361: IPS: ip only rules, but with negated addresses not treated like pure ip-only rules in IPS context * Documentation #5364: userguide: reorganize `Application Layers Parsers` and `Application layers` subsections in the suricata.yaml page * Bug #5368: bypass: Memory leak of some flow bypass objects. * Documentation #5375: Improve documentation for TLS logging options * Bug #5377: modbus: probing parser recognizes modbus with unknown function code * Documentation #5385: userguide: update rule's format document * Bug #5386: detect/threshold: offline time handling issue * Bug #5390: smb: have default stream-depth of 0 * Bug #5391: events: PACKET_RECYCLE does not reset event_last_logged * Bug #5392: fileinfo: inconsistent file size tracking for GAPs * Security #5399: mqtt: DOS by quadratic with too many transactions in one parse * Optimization #5400: dpdk: allow specifying of `rss_hf` flags in config * Bug #5401: tcp: assertion failed in DoInsertSegment (BUG_ON) * Bug #5402: detect: will still inspect packets of a "dropped" flow for non-TCP * Security #5408: filestore: Segfault with filestore enabled and forced * Bug #5409: PCRE: use match and recursion limit for pcrexform * Feature #5411: Add keywords for user and domain seen in smb * Bug #5412: SMB status errors list is incomplete * Feature #5413: DCERPC logging is not easy to use in analysis * Feature #5416: SNMP: signature keyword for usm * Bug #5419: Failed assert DeStateSearchState * Feature #5435: DHCP: signature keyword for lease_time * Documentation #5441: userguide: rules meta page updates * Feature #5442: kerberos: log ticket encryption method * Optimization #5454: http2: slow http2_frames_get_header_value_vec because of allocation * Bug #5455: ike: logging state transforms instead of transaction transforms * Bug #5457: Counters are not initialized in all places. * Bug #5458: Reject action is no longer working * Feature #5468: ips: midstream: add "exception policy" for midstream * Task #5475: doc: add exception policy documentation * Feature #5479: Add landlock support * Optimization #5481: tls: support incomplete API to replace internal buffering * Task #5497: github-ci: update runners using ubuntu-18.04 image * Feature #5503: ips: add "reject" action to exception policies * Feature #5506: DHCP: signature keyword for rebinding_time * Bug #5507: DHCP: signature keyword for renewal_time * Bug #5508: SMB2 async responses are not matched with its request * Feature #5509: App-layer event for protocol change failure * Documentation #5511: userguide: add subsection about setting up Suri in IPS mode with DPDK * Bug #5518: dcerpc: More efficient transaction handling for UDP * Documentation #5519: userguide: update 'dsize' examples and documentation * Bug #5521: detect: transform strip whitespace creates a 0-sized variable-length array * Bug #5527: postgresql: limit number of live transactions * Bug #5536: detect: flow.age keyword * Bug #5538: Compiler Warning on Fedora 36 / gcc 12.2.1 * Documentation #5542: userguide: add section about landlock under Config hardening * Task #5569: transversal: update references to suricata webpage version 2 * Security #5571: ips: encapsulated packet logged as dropped, but not actually dropped * Optimization #5577: Fix warning about "comparing with null" in debug code * Bug #5581: eve: mac address logging for packet records reverses direction * Bug #5584: detect/tag: timeout handling issues on windows * Optimization #5592: tunnel: spinlock for tunnel packet sync * Bug #5595: eve/alert: SEGV in files to alert logging