# 8.0.0-beta1 06/04/2024 * Optimization #426: sid based thresholding data structure improvement * Bug #635: Some keywords missing in list-keyword command (like 'tcp-pkt') * Feature #845: Memory consumption in stats.log * Feature #1005: conditional logging: controlling what gets logged * Feature #1065: Introduce vlan id keyword * Feature #1199: protocol: LDAP support * Feature #1520: multitenancy - verbose output clarity * Feature #1542: dump-config - extend into multi-detect supplied yaml configuration * Bug #1826: Rule validation bug with fast_pattern:only and specified buffers * Bug #1926: rule parsing: wrong content checked for fast_pattern (snort compatibility) * Feature #1971: lua: make mandatory * Bug #1983: tls: events are directionless and trigger twice per flow direction * Feature #1993: commandline: introduce --enable-all-outputs switch * Bug #2205: Buffer confusion with fast_pattern:only; * Bug #2224: Negated http_* match returns false if buffer not populated * Optimization #2272: Analyze DNS response if query is not present * Feature #2290: lua: use script as transform * Feature #2375: Design and implement sensible per-thread capabilities * Feature #2377: deprecate: ssh.softwareversion and ssh.protoversion * Feature #2448: Add additional buffers for DNS Responses * Feature #2486: prefilter/fast_pattern logic for flowbits * Documentation #2620: Documentation: tagged_packets / event_type packet * Optimization #2621: Convert setup scripts from sh/ed/sed to Python. * Feature #2678: list-keywords: add info about fast_pattern and transforms * Task #2693: tracking: libsuricata * Feature #2695: websocket support * Feature #2696: http parser in rust * Feature #2816: vlan: support more than 2 layers * Bug #2881: http.protocol parsing inaccuracy : accept spaces in URI * Bug #2886: IMAP protocol detection is incomplete * Feature #2958: Suricata 5.0.0beta1 and way too much anomaly logging * Feature #3003: filestore to uses rename syscall instead of sendfile,which doesn't allow files to be sent across file systems * Documentation #3015: userguide: document "tag" keyword * Task #3153: tracking: scan-build warnings * Task #3166: src code file reorg * Bug #3182: warn user on wildcard usage without quotes * Bug #3218: ssl_state does the wrong thing * Bug #3236: missing keywords docs on some keywords when --list-keywords is called * Task #3334: Cleanup registration of C function pointers in SuricataContext in main() * Task #3343: tracking: developer documentation * Feature #3351: sip: parse traffic over tcp * Bug #3375: Tracking: file tracking/inspection performance issues * Optimization #3427: Issue warning/info msg upon datasets of type string that are not base64 * Bug #3436: Suricata Socket Control crashing using command 'reopen-log-files' * Feature #3446: app-layer: implement MySQL parser * Optimization #3449: output calls fflush very often * Feature #3487: multi-part parser in Rust * Optimization #3540: krb5: use app-layer incomplete support * Feature #3636: eve: configuration options to enable all, none or just a default set of outputs * Bug #3682: bsize needs to err upon non possible matching conditions * Task #3695: research: libhwloc for better autoconfiguration * Optimization #3707: Convert JSON Loggers to JsonBuilder * Documentation #3748: Add documentation for flags keyword * Optimization #3766: Convert Stats to JsonBuilder * Optimization #3827: clean up logging initialization code * Task #3836: Formatting rust code * Bug #3910: datasets: for type string the memcap isn't applied to the string data * Feature #3952: mDNS protocol implementation * Feature #3953: 8021BR E packet decoder * Feature #3958: Convert protocol to Rust: ENIP * Task #4022: Convert unittests to new FAIL/PASS API - detect-engine-address-ipv4.c * Task #4023: Convert unittests to new FAIL/PASS API: detect-engine-address-ipv6.c * Task #4082: Convert FTP to Rust * Feature #4089: rules: Flexible format transform * Task #4098: Convert SMTP to Rust * Feature #4099: allow rule keyword registration from app-layer * Task #4103: Plugins: Convert a "core" parser (DNS) to use the plugin API * Task #4105: Plugins: Create template capture source plugin * Task #4122: tracking: handle various TLS decrypt headers in proxies and decryption tools * Bug #4135: dns: response only udp not detected as dns * Feature #4136: use Suricata-Update managed classification.config * Task #4143: tracking: file.data improvements * Feature #4153: Rust parsers: Make use of Rust derive style macros to generate common code in parsers * Feature #4174: tracking: app-layer frame inspection support * Task #4176: plugins: review capture plugin API * Feature #4217: not complete cmd start line does not produce expliccit enough warning or msg * Bug #4220: failed to hit a signature with option --simulate-ips * Feature #4226: bsize: apply as depth to patterns * Documentation #4350: Devguide: transaction handling logic * Documentation #4352: Devguide: Debugging Basics - pcap_cnt * Task #4429: libsuricata: Use cases with examples * Bug #4482: detect: detect events not in rules, not tested (and not working?) * Optimization #4490: rust: see if we can use SuricataStreamingBufferConfig * Optimization #4517: cbindgen export the constants from Rust to C, also for macro such as BIT_U8(1), and remove duplicate definitions between rust and C * Bug #4522: Rules with stream_size greater than not working * Documentation #4557: Add document about JsonBuilder * Feature #4566: pgsql: add subprotocol-states * Bug #4571: Unable to trigger rule by content in case of IPv4 in IPv4 incapsulation * Documentation #4658: Add/improve documentation for pcre substring capture logging * Feature #4660: base64_decode cannot used with Transformations like pcrexform * Task #4683: detect: remove sigmatch_table in favor of a dynamic storage option * Task #4698: Example program to bootstrap Suricata (an alternate main() for Suricata) * Bug #4702: SYN/ACK dropped when client does not support tcp timestamps * Task #4704: unix-socket: separate functionality from the unix socket interface * Documentation #4705: userguide: add sections about frame support * Documentation #4706: Guide for rulewriting * Task #4707: detect: unify internal buffer names to use . naming * Documentation #4708: DevGuide: Add Eve Output Plugins * Documentation #4709: Add page about analyzing Suricata performance * Bug #4734: pfring: memory leak * Task #4742: Make the auto-generated config.h not conflict with other config.h. * Optimization #4747: app-layer: make tx iterator a mandatory part of the API * Optimization #4753: Fix inconsistency in Lua functions for the "needs" key * Task #4772: tracking: parity between fields logged and fields available for detection * Task #4773: research: IPS behavior wrt resource limits * Feature #4776: lua: vendor latest lua stable * Feature #4777: lua: implement sandboxing * Bug #4786: xbits: no error on invalid 'expire' values * Task #4799: af-packet: review iface up/down logic * Optimization #4809: stats: human readable sizes in the stats.log * Bug #4815: unix socket: ftp memcap missing from socket commands * Feature #4853: eve: Add information about Suricata version * Feature #4854: pgsql: Add COPY subprotocol-state * Feature #4855: rules: refactor rule parsing into multi-stage parser * Feature #4861: smb: support multi-stream file transfers * Bug #4873: smb: midstream probing check affects performance * Feature #4876: Additional FTP Buffers * Bug #4898: detect: Ensure detection events are logged * Feature #4904: dcerpc: add stream app-layer records support * Feature #4905: smtp: add stream app-layer frame support * Feature #4906: ftp: add stream app-layer frame support * Feature #4910: dpdk: implement secondary mode * Bug #4917: tls: leading GAP in toserver direction leads to various issues * Task #4919: Add option to change sensor-name log field * Bug #4921: detect/app-layer-protocol: unexpected results when one direction state "failed" * Task #4936: Use Rust to parse unix socket messages * Optimization #4937: Convert Rule Profile JSON output to JsonBuilder * Feature #4946: nfsv2: implement WRITE support * Optimization #4950: Code improvement in KRB5State.parse function * Documentation #4980: doc/frames: document frame rule keyword * Feature #4986: postgresql: support frames * Optimization #4987: frames: unify handling of getting frame data, flags * Feature #4990: eve/frames: make payload logging configurable * Documentation #5008: userguide: add a protocol chart listing defaults * Feature #5029: eve: telnet logger * Bug #5031: flowbits - no error on invalid options * Bug #5037: invalid timestamp in ending events * Optimization #5047: sip: implement pattern based protocol detection * Feature #5049: detect/frames: allow mixing with txs * Task #5050: rules/frames: settle on rule syntax * Task #5053: app-layer: dynamic alproto IDs * Documentation #5068: nfs: document rule keyword * Feature #5075: smb: keyword for the SMB version * Bug #5076: keyword content does not work over reassembled TCP * Documentation #5078: suricata config reload: improve documentation on behavior * Feature #5082: smb: keyword for matching the SMB files * Documentation #5088: file.name sticky buffer is not documented * Documentation #5138: userguide: add a section for fileinfo eve type * Documentation #5139: userguide: add a section for netflow event type * Bug #5165: http: request not logged when response comes before request * Bug #5177: detect/engine-analyzer: rule analyzer warns about http buffers usage/replacement even when using new keyword * Optimization #5180: detect/alert: make sure that signatures with `drop` action are respected, even if the alert is discarded * Task #5181: detect/engine-analyzer: add rule analyzer warnings about rules that could use the frame keyword/semantics/feature * Feature #5194: tracking: options for simulating various exceptions * Bug #5196: Suricata test mode should fail when there are invalid config values * Feature #5203: dpdk: implement primary app for Suricata secondary mode * Optimization #5207: Common Rust parser for *bits * Feature #5217: ips: allow dropping of flow if applayer specific memcap is hit * Bug #5220: fast_pattern specification in base64_data shouldn't be allowed * Feature #5234: SSL/TLS Sticky Buffer for subjectAltName * Documentation #5274: devguide: document how the alert flow works * Feature #5286: ips: allow dropping of packet/flow when alert queue exceeded * Optimization #5311: ftp: use unsigned integer for input_len * Documentation #5393: devguide: move github workflow document from redmine into devguide * Feature #5415: tftp: support keywords such as file.name, file.data etc... * Feature #5446: allow ranges in dns.opcode value * Documentation #5449: userguide: document how suricata processes rules internally * Documentation #5465: doc/userguide: document terminating behavior of rule actions * Feature #5466: detect: allow alert-then-pass logic * Task #5472: tracking: upgrading from 7 to 8 * Optimization #5476: decoder: compact & flexible storage of decoder data in the packet * Bug #5486: Ethernet metadata is missing for some protocols or parts of a protocol * Feature #5489: research: multi version rules; or version dependent rules * Documentation #5494: userguide: update tls eve-log fields 'not_before' and 'not_after' * Feature #5495: implement grace period for midstream exception policy * Task #5510: stream (midstream): investigate - Suri drops flow but still logs second packet of the flow * Documentation #5513: userguide: add a chapter for IPS mode * Optimization #5517: decode: big clean up (macros and functions) * Bug #5524: PGSQL parser should not error on parsing error, so as to keep on parsing the next PDUs * Documentation #5531: userguide: ensure documentation is up to date * Documentation #5532: userguide: have a section to mention and document the various ways stream-depth can be set * Documentation #5534: userguide: better document what TCP midstreams are for Suricata * Bug #5539: landlock: coverity warnings * Documentation #5543: userguide: document which keywords accept the prefilter keyword * Optimization #5545: prefilter keyword: increase code coverage * Documentation #5554: userguide: document behavior for actions like PASS, DROP, REJECT, BYPASS... * Task #5560: dpdk: Design a test-case for Suricata running as a secondary process * Optimization #5566: pgsql: add events * Documentation #5575: docs: bring 'reporting bugs page' into userguide and update it * Optimization #5583: output: iface shortening more compact * Task #5588: ips/tap: don't allow mixed tap and ips modes * Task #5610: tracking: new protocol: telnet * Documentation #5612: devguide: add a chapter about Suricata's exception policies * Task #5626: doc: document file.data * Feature #5642: DNS: parity between log fields and detection * Documentation #5651: bsize: format should specify operators * Feature #5664: "Scope" bits should have an expiration * Feature #5665: rules: bidirectional transaction matching * Optimization #5672: smb: avoid unbounded hash maps * Task #5682: tracking: smb performance issues * Bug #5689: community id computed wrong for tcp and ipv4 when src_ip == dest_ip * Documentation #5690: Document the differences between IPS and IDS mode. * Feature #5692: Add brotli content encoding to HTTP/1.1 * Optimization #5699: dcerpc: switch to incomplete api for tcp * Bug #5711: runmodes: Suricata does not hint anything about missing runmode * Feature #5726: ike: add frame support * Feature #5737: smtp body extract * Feature #5773: Support DNS over HTTPS (DoH) * Feature #5775: http.headers - dynamic sticky buffers * Optimization #5785: smb: use u32.to_be_bytes to replace function u32_as_bytes * Optimization #5787: detect/filestore: optimize http tx handling * Optimization #5801: filemagic keywords: increase code coverage and update documentation (if need be) * Feature #5816: Exception policy stats counters * Feature #5826: frames: logging of events set on frames * Task #5827: [investigate] output/drop: make `drop reason` more informative * Documentation #5829: userguide: add context on "why/when an exception policy is applied" * Documentation #5830: userguide: update & improve exception policy section * Feature #5838: dpdk: NIC encapsulation stripping * Feature #5839: dpdk: power saving mode * Task #5840: dpdk: Design test cases for DPDK capture interface * Documentation #5842: userguide: bring session about Suricata installation from Ubuntu PPA * Feature #5845: smb: Support SMB_COM_SESSION_SETUP_ANDX Request * Documentation #5869: userguide: describe what are the delta stats counters * Documentation #5891: userguide: explain different log save directory in offline mode * Documentation #5897: devguide: add section on generating code coverage reports locally * Documentation #5910: devguide: explain possible differences in data inspection with inline stream or not * Documentation #5911: userguide: update & bring guide for installation on Windows to RtD * Security #5921: http1: configurable limit for maximum number of live transactions per flow * Security #5926: http2: evasion by splitting header fields over frames * Feature #5972: rules: "requires" keyword representing the minimum version of suricata to support the rule * Feature #5973: warn when HTTP rules will only work for a specific version of HTTP * Feature #5974: Midstream exception policy "reject-both" support * Feature #5976: eve/stats: allow hiding counters whose value is 0 * Bug #5977: eve/alert: missing KRB5 metadata * Optimization #6001: investigate: optional/configurable stats log verbosity * Optimization #6002: stats/exception: allow configuring verbosity via unix socket * Feature #6012: dpdk: add support for segmented mbufs * Documentation #6022: devguide: explain how the engine identifies applayer protocols * Documentation #6026: userguide/suricata-yaml: update image on threading * Task #6028: c: C11 _s style buffer handling calls * Task #6029: c: require C11 * Documentation #6030: devguide: expand Suricata Internals chapter * Task #6050: base64: make a fuzz target * Documentation #6058: doc/configuration: clarify sig_id & gid_id for global threshold * Optimization #6061: cmdline: make --list-runmodes output friendlier * Documentation #6069: userguide/install: move RPM distros to their own page * Documentation #6076: eve/schema: document quic * Documentation #6078: eve/schema: document pgsql * Feature #6079: eve/dcerpc: eve/smb: log dcerpc uuid with request/response txs * Bug #6080: pgsql/probe: TCP on 5432 traffic incorrectly tagged as PGSQL * Task #6084: output/alert: enable logging `PASS` alerts * Bug #6092: eve/alert: missing pgsql metadata * Task #6107: Convert unittests to new FAIL/PASS API - util-memcmp.c * Optimization #6111: defrag: avoid passing null pointers to functions * Feature #6114: dpdk: wrap DPDK logs in a Suricata logger * Feature #6164: detect: new keyword flow.pkts_toclient to server and bytes as well * Documentation #6180: userguide: add troubleshooting section * Bug #6186: Integer overflows 64 to 32 bytes * Security #6187: DetectEngineReload: handle allocation failures * Optimization #6188: ConfYamlLoadString: handle allocation failures * Task #6209: libhtp 0.5.46 * Feature #6210: outputs: add verdict event type * Feature #6215: Exception policy log output * Task #6217: research: increased tcp.overlap after file data changes * Documentation #6219: userguide: add page about different usecases * Optimization #6225: exception: standardize log message about set-up value * Feature #6237: Multi-tenancy: Allow inner VLAN to be selected * Documentation #6252: userguide/install: move Ubuntu distros to their own page * Bug #6254: Error: threads: thread "FB" failed to start in time: flags 0003 * Task #6258: misc: clean-up commented out code * Feature #6259: pgsql: add `query` detection keyword * Feature #6260: Support flow matching excluding packet recursion level * Feature #6261: Add GRE as a parsible protocol * Task #6262: tracking: reduce stack usage * Documentation #6270: userguide: document usage of Suricata as a firewall * Task #6273: misc: clean up left over printf calls * Bug #6275: fail af_xdp at configure time when libxdp is missing? * Bug #6280: base64: don't accept = in the middle of a string * Bug #6281: dns: structure of query differs between "alert" and "dns" event types * Documentation #6284: userguide: document what's the impact of `stream.inline` * Feature #6290: support case insensitive testing of HTTP header name existence * Bug #6291: Performance degradation on Suricata devices with a small number of rules * Feature #6293: Support disabling forced flow reuse in low memory conditions * Security #6299: mqtt pcap with anomalies takes too long to process because of app-layer-event detection * Bug #6304: schema.json : if protocol such as ENIP is detection only, we do not have _tcp suffix in stats * Bug #6305: drop: assertion failed !(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP) * Task #6308: detect/analyzer: add more keyword details * Task #6309: detect/analyzer: add more details for the flowbits keyword * Task #6310: detect/analyzer: add more details for the ttl keyword * Task #6311: detect/analyzer: add more details for the flowint keyword * Task #6312: detect/analyzer: add more details for the flow.age keyword * Task #6314: Convert unittests to new FAIL/PASS API - tests/detect-http-client-body.c * Task #6315: Convert unittests to new FAIL/PASS API - ippair-storage.c * Task #6316: Convert unittests to new FAIL/PASS API - app-layer-detect-proto.c * Task #6317: Convert unittests to new FAIL/PASS API - detect-filestore.c * Task #6318: Convert unittests to new FAIL/PASS API - detect-engine-address-ipv4.c * Task #6319: Convert unittests to new FAIL/PASS API - util-bloomfilter.c * Task #6320: Convert unittests to new FAIL/PASS API - detect-base64-data.c * Task #6321: Convert unittests to new FAIL/PASS API - decode-raw.c * Task #6322: Convert unittests to new FAIL/PASS API - util-pool.c * Task #6323: Convert unittests to new FAIL/PASS API - ippair-bit.c * Task #6324: Convert unittests to new FAIL/PASS API - stream-tcp-reassemble.c * Task #6325: Convert unittests to new FAIL/PASS API - detect-urilen.c * Task #6326: Convert unittests to new FAIL/PASS API - detect-ssh-software-version.c * Task #6327: Convert unittests to new FAIL/PASS API - threads.c * Task #6330: Convert unittests to new FAIL/PASS API - tests/stream-tcp-list.c * Task #6331: Convert unittests to new FAIL/PASS API - util-bloomfilter-counting.c * Task #6333: Convert unittests to new FAIL/PASS API - util-rule-vars.c * Task #6334: Convert unittests to new FAIL/PASS API - util-spm.c * Task #6335: Convert unittests to new FAIL/PASS API - decode-tcp.c * Task #6336: Convert unittests to new FAIL/PASS API - tests/detect-http-stat-code.c * Task #6338: Convert unittests to new FAIL/PASS API - tests/detect-http-stat-msg.c * Task #6340: Convert unittests to new FAIL/PASS API - tests/detect-http-method.c * Task #6341: Convert unittests to new FAIL/PASS API - decode-ethernet.c * Task #6343: Convert unittests to new FAIL/PASS API - tests/stream-tcp.c * Task #6344: Convert unittests to new FAIL/PASS API - detect-pcre.c * Task #6346: Convert unittests to new FAIL/PASS API - detect-engine-dcepayload.c * Bug #6347: log-pcap: crash with suricata.yaml setting max-file to 1 * Task #6350: detect/analyzer: add more details for the tcp.flags keyword * Task #6351: detect/analyzer: add more details for the xbits keyword * Task #6352: detect/analyzer: add more details for the tcp window keyword * Task #6353: detect/analyzer: add more details for the tcp seq keyword * Task #6354: detect/analyzer: add more details for the tcp ack keyword * Task #6355: detect/analyzer: add more details for the tcp.mss keyword * Task #6356: detect/analyzer: add more details for the tcp.hdr keyword * Task #6357: detect/analyzer: add more details for the dsize keyword * Task #6358: detect/analyzer: add more details for the ICMP itype keyword * Task #6359: detect/analyzer: add more details for the ICMP icode keyword * Task #6360: detect/analyzer: add more details for the icmp_id keyword * Documentation #6361: userguide: add note about severity<-> priority on alert section * Feature #6366: pop3 protocol detection * Feature #6368: stream/midstream: wscale setting * Documentation #6369: stream: document stream.3whs_syn_flood and stream.3whs_synack_flood * Bug #6370: plugins: install libsuricata-config by default, or with headers * Feature #6374: Sticky buffers for sip headers * Bug #6376: Huge increase on Suricata load time with a lot of ip-only rules and bigger HOME_NET * Feature #6379: JA4 support for TLS and QUIC * Task #6382: Add DPDK 23.11 build to Github Actions * Optimization #6387: mqtt: move parser registration code to the rust side * Bug #6389: pgsql: u16 overflow found by oss-fuzz w/ quadfuzz * Bug #6390: file: do not store if filestore:both,flow is triggered after the file was set to nostore * Bug #6393: detect/filestore: be more explicit about the U16_MAX limit per signature group head * Bug #6394: Sudden increase in capture.kernel_drops and tcp.pkt_on_wrong_thread after upgrading to 6.0.14 * Feature #6396: Add protocol string support for mqtt * Bug #6398: Suricata 7.0.1 threads object in stats contains memcap_pressure scalars * Feature #6399: Per-thread stats values can be negative * Bug #6400: log of DNS answer is in wrong direction * Bug #6405: Ethernet src should match src ip * Documentation #6406: userguide: remove ambiguous "we" usages * Bug #6408: Output plugins receive identifier, but not thread identifier * Feature #6410: Log packets/bytes per second in Suricata stats * Security #6411: pgsql: quadratic complexity leads to over consumption of memory * Documentation #6412: devguide: API upgrade notes * Bug #6414: detect-engine/port: recursive DetectPortInsert calls are expensive * Bug #6415: http.header, http.header.raw and http.request_header buffers not populated when malformed header value exists * Bug #6418: detect/engine-analyzer: rule parser error uses outdated buffer * Bug #6419: dpdk: Analyze hugepage allocation on startup more thoroughly * Feature #6422: dpdk: expand on DPDK allocation hints * Bug #6424: HTTP/2 - http.host behavior when both :authority pseudo header and host header are present * Feature #6426: HTTP/2 - app-layer-event and normalization when userinfo is in the :authority pseudo header for the http.host header * Task #6427: runmodes: remove reference to auto modes * Task #6432: tracking: autofp capture stalls due to packetpool depletion * Optimization #6433: packetpool: improve return sync logic * Documentation #6434: eve/schema: document stats * Feature #6439: New Transformation: to_lowercase * Security #6441: detect: heap use after free with http.request_header keyword * Documentation #6442: rtd: indicate that a page is for an outdated version * Security #6444: http1: quadratic complexity from infinite folded headers * Documentation #6445: userguide: explain what flow_id is * Documentation #6450: userguide: add section about sshhash * Documentation #6451: userguide: update 'what is suricata' section * Documentation #6452: userguide/ftp: clarify usage around ftp and ftp.data keyword * Optimization #6454: Force os to release memory on rule reload * Feature #6455: txbits: support for new type of bits * Feature #6459: filebits: support for new type of bits * Task #6474: detect: smtp body inspection keyword * Security #6477: SMTP: quadratic complexity from unbounded number of transaction per flow * Documentation #6478: schema: add missing fields * Feature #6480: plugins: allow plugins to specify the version of suricata they are for * Security #6481: http2: quadratic complexity in find_or_create_tx not bounded by max-tx * Bug #6483: http.request_headers - odd behavior with multiple signtures * Documentation #6484: userguide: add keyword performance results * Task #6485: [investigate] Scoring method for keywords and transforms * Documentation #6486: userguide: explain pkt_on_wrong_thread counter * Feature #6487: transform: from_base64 * Task #6488: plugins: add example plugins to the suricata source tree * Task #6489: test/stream/tcp-list: fix unittests * Documentation #6492: doc: explain how FTP works * Documentation #6495: userguide: add section on SMTP event type * Feature #6496: dns: new detection buffer: dns.answer.name * Feature #6497: dns: new detection buffer: dns.query.name * Documentation #6498: userguide/output: add section about fileinfo * Bug #6499: tcp.active_sessions and flow.active count will never reduce when using trex * Bug #6500: eve/alert: missing FTP metadata * Bug #6501: eve/alert: missing TFTP metadata * Optimization #6502: schema: avoid - and . in keys * Bug #6527: cppcheck 2.11 errors * Task #6542: logging: deprecate tls-log * Task #6543: logging: deprecate http-log * Task #6544: logging: deprecate syslog * Task #6545: tls-store: unify with file-store * Feature #6546: transformation - strip_pseudo_headers * Bug #6547: HTTP/2 - http.response_line has leading space * Feature #6550: Capability to have rules profiling on pcap run * Bug #6551: Invalid registration of prefiltering in stream size * Documentation #6552: doc: add tcp timeout fix to upgrade guide * Bug #6553: eve/alert: payload/payload_printable misrepresent data in case of overlaps * Documentation #6566: userguide: add description for missing EVE krb fields * Documentation #6568: devguide: document backports policies and process * Optimization #6569: threading: fix condition signalling w/o taking lock first * Documentation #6570: remove references in docs mentioning prehistoric Suricata versions * Optimization #6572: runmodes: fix `--list-runmodes` output * Task #6573: rust: set new minimum Rust version for Suricata 8 * Bug #6574: detect/filestore: memory leak on rule parsing * Optimization #6575: detect/multi-buffer: use single definition of struct PrefilterMpmKrb5Name * Task #6576: pgsql: log identifier for unknown messages? * Task #6577: pgsql: add cancel request message * Bug #6578: ssh: no alert on packet with Message Code: New Keys (21) * Bug #6584: SCTIME_ADD_SECS() macro zeros out ts.usec part * Bug #6585: SCTIME_FROM_TIMESPEC() creates incorrect timestamps * Task #6586: mpm/ac-bs: remove implementation * Documentation #6589: docs: fix broken bulleted list style on rtd * Bug #6592: mqtt: frames on TCP are not set properly when parsing multiple PDUs in one go * Task #6597: rules keyword/output parity: improve * Documentation #6599: docs: update eBPF installation instructions * Task #6603: pgsql: don't log password msg if password disabled * Task #6605: flash decompression: update/remove deprecation warnings * Bug #6615: detect/analyzer: misrepresenting negative distance value * Bug #6617: detect/filestore: flow, to_server was broken by moving files into transactions * Bug #6618: Endace: timestamp fixes * Bug #6619: Profiling takes much longer to run than it used to * Feature #6621: dns: add keyword for dns rcode: dns.rcode * Feature #6624: http/2: event on :authority vs Host header mismatch * Documentation #6626: devguide: add instructions for MacOS setup * Feature #6627: SDP protocol: parser and logger * Documentation #6628: userguide: document generic aspects of integer keywords * Documentation #6629: Fix byte_test examples * Bug #6633: stats: flows with a detection-only alproto not accounted in this protocol * Feature #6637: requires: add skipped rules to stats * Bug #6643: http: wrongly assuming http0.9 leads to missed headers * Feature #6644: tracking: detect: integer as first-class support * Feature #6645: detect: integer parsed with hexadecimal notation * Feature #6646: detect: integer: support negated ranges * Feature #6647: detect: integers: support for enumerations * Feature #6648: detect: integer: support bitmasks * Bug #6652: Configuration values trigger error instead of warning messages * Bug #6656: detect/requires: assertion failed !(ret == -4) * Bug #6661: content-inspect: FN on negative distance * Bug #6664: eve/smtp: attachment filenames not logged * Feature #6666: dns: add keyword for dns rrtype: dns.rrtype * Bug #6667: Compiler warning with --enable-dag * Security #6668: ip defrag: final overlapping packet can lead to "hole" in re-assembled data * Security #6669: ip defrag: re-assembly error in bsd policy * Security #6675: ip-defrag: packet can be considered complete even with holes * Bug #6678: datasets: discard datasets that hit the memcap while loading correctly * Task #6684: pcap-log: remove sguil mode * Documentation #6685: userguide: explain noalert keyword * Documentation #6686: docs: port userguide build instruction changes from master-6.0.x * Feature #6695: tls: log extensions * Optimization #6702: streaming-buffer: Explore Rank Balanced trees * Optimization #6703: detect-engine/port: Explore Rank Balanced trees for post grouping uses * Optimization #6704: CI: expand check for pcapng; also check `-nanosecond` * Task #6705: build-info: remove obsolete "rust support" line * Documentation #6708: userguide/payload: fix explanation about bsize ranges * Bug #6710: rules: failed rules after a skipped rule are recorded as skipped, not failed * Task #6712: remove completely nss * Bug #6715: dpdk: NUMA warning on non-NUMA system * Optimization #6718: detect/frames: avoid rescanning in IPS mode * Documentation #6725: document pcap file variables * Bug #6726: stream: stream.drop-invalid drops valid traffic * Optimization #6728: detect: prefilter for app-layer-event * Feature #6729: websockets: support over HTTP/2 * Bug #6732: Suricata 7.0.2 parent interface object in stats contains VLAN-ID as keys * Bug #6733: tcp: tcp flow flags changing incorrectly when ruleset contains content matching * Bug #6737: dpdk: property configuration can lead to integer overflow * Feature #6739: dpdk: warn the user if user-settings are adjusted to the device capabilities * Bug #6741: dpdk: automatic cache calculation is broken * Bug #6743: stream/tcp: spurious retransmission seen as invalid * Bug #6744: tcp: fast open packet not fully handled * Bug #6745: util/mime: Memory leak at util-decode-mime.c:MimeDecInitParser * Task #6748: doc: mention X710 RX descriptor limitation * Bug #6750: dpdk: examine the functionality of multiple parallel-running DPDK Suricata processes * Bug #6753: detect/cip: missing return-value check for a 'scanf'-like function * Bug #6755: Netmap: deadlock if netmap_open fails * Security #6757: libhtp: quadratic complexity checking after request line missing protocol * Bug #6760: Hugepages Error for ARM64 and af-packet IPS mode * Bug #6762: Hugepages Error for FreeBSD when kernel NUMA build option is not enabled * Bug #6766: multi-tenancy: dead lock during tenant loading * Task #6769: libhtp 0.5.47 * Optimization #6773: app-layer/template: no limit on txs number * Optimization #6775: detect: do not run tx detection on tcp non established packets * Bug #6776: exception/policy: bypass flow incorrect applied? * Bug #6778: detect/tls.certs: direction flag checked against wrong field * Documentation #6781: http keywords lacking information about values from duplicate headers being concatenated * Bug #6787: decode/pppoe: Suspicious pointer scaling * Feature #6788: Decouple stream.bypass dependency from TLS encrypted bypass * Bug #6790: dpdk: evaluate the correct handling of DPDK ports on shutdown * Optimization #6792: detect/port: port grouping is quite slow in worst cases * Optimization #6795: detect/port: PortGroupWhitelist fn takes a lot of processing time * Security #6796: output/filestore: slowdown because of running OutputTxLog on useless packets * Security #6799: ssh: quadratic complexity in overlong banner * Feature #6805: cpu-affinity: enhance CPU affinity logic with per-interface NUMA preferences * Bug #6811: capture plugins: capture plugins unusable due to initialization order * Task #6814: libsuricata: opt-in signal handling * Task #6817: rust: kerberos-parser 0.8.0 * Task #6818: rust: snmp-parser 0.10.0 * Task #6819: tracking: rust: update dependencies for 8 * Bug #6820: libhtp: compile warning if libhtp is bundled * Optimization #6821: smtp: add 535 code * Feature #6822: threshold: support tracking by flow * Feature #6827: arp: implement decoder and logger * Bug #6834: iprep: rule with '=,0' can't match * Bug #6835: BUG_ON triggered from TmThreadsInjectFlowById * Bug #6837: Error message from netmap when using Netmap pipes (with lb) * Bug #6838: eve/filetypes: move from plugin api to eve api * Bug #6839: coverity: warning in port grouping code * Documentation #6840: devguide/app-layer: section with conceptualized steps for adding parser * Bug #6843: detect/port: port ranges are incorrect when a port is single as well as a part of range * Task #6849: brainstorm: should certain ouput types be removed (eg syslog) * Optimization #6852: mpm/ac: support endswith * Feature #6856: http: anomaly when request line is missing protocol * Bug #6861: Lightweight rules profiling: crash when profiling ends * Bug #6864: Detect: ipopts keyword misfires * Bug #6865: BUG_ON triggered from AdjustToAcked * Security #6866: eve: excessive ssh long banner logging * Bug #6871: dpdk: fix compatibility issues for ice cards * Optimization #6873: Convert byte_extract keyword/option parsing to Rust * Bug #6875: output/alert: assertion failed p->flow != NULL * Bug #6877: Suricata 8 general protection fault ip:698117 sp:7fd537b08090 * Bug #6881: detect/port: port grouping does not happen correctly if gap between a single and range port * Bug #6883: rust: clippy 1.77 warning * Bug #6887: defrag: reassembled packet can have wrong datatype * Task #6888: Remove obsolete items from contrib * Bug #6891: sip: usage of Vec instead of Vecdeque leads to quadratic complexity on cleanup * Security #6892: http2: oom on copying compressed headers * Bug #6896: detect/port: upper boundary ports are not correctly handled * Security #6900: http2: timeout logging headers * Security #6902: base64: off-by-three overflow in DecodeBase64() * Bug #6903: streaming buffer: heap overflows in StreamingBufferAppend()/StreamingBufferAppendNoTrack() * Bug #6904: mime: buffer overflow in GetFullValue() (util-decode-mime.c) * Bug #6906: smtp/mime: data command rejected by pipelining server does not reset data mode * Documentation #6908: userguide: document how to verify tar.gz signature * Documentation #6911: manpages: use consistant date based on release and/or git commits * Bug #6913: reimplement systemd sd_notify w/o linking to libsystemd * Task #6917: [investigate] exceptions: are drop reasons unique to policies? * Bug #6918: pcre2 compile warning * Bug #6921: jsonbuilder: serializes Rust f64 NaNs to an invalid literal * Feature #6927: dpdk: add unit tests for threading and mempool cache size functions * Task #6929: eve/stats: hide zero-values for counters individually * Task #6935: Convert unittests to new FAIL/PASS API - src/app-layer-htp.c * Feature #6936: landlock: enable by default * Optimization #6937: compile: make code clean with -Wunused-macros * Optimization #6938: packet: optimize packet data storage * Feature #6939: lua: incremement stat when a lua rule exhausts its instruction count * Bug #6940: lua: handle errors in lua rules * Task #6941: lua: review and document lua rule return types * Bug #6942: decode/ppp: decoder.event.ppp.wrong_type on valid packet * Feature #6943: pcap: datalink type 229 not (yet) supported in module PcapFile * Bug #6948: detect/http.response_body: false positive because not enforcing direction to_client * Task #6951: tracking: nfs performance issues * Documentation #6955: devguide: update coding-style docs * Bug #6956: mqtt: create PDU frames without regard to the parsing function * Bug #6957: Assert: BUG_ON(id <= 0 || id > (int)thread_store.threads_size); * Bug #6959: improve handling of content encoding: gzip but request_body not actually compressed * Optimization #6960: fuzz: target to test signatures compatibility * Task #6961: lua create: use a rust crate to vendor lua * Task #6962: yaml: unify 0 stats counter config option terminology * Bug #6964: base64: consumed bytes are incorrectly set for different modes * Task #6965: libhtp 0.5.48 * Feature #6967: multi-tenancy: support thresholding per tenant * Bug #6971: defrag: default policy is inconsistent * Bug #6976: flow/action: not always updated? * Bug #6981: dpdk: compiler warnings * Bug #6983: alert/metadata: no pgsql object encapsulation * Bug #6984: mqtt: do not log non-string messages? * Bug #6985: base64: coverity dead code warning * Bug #6989: tls.random buffers don't work as expected * Bug #6994: sip/sdp: logget closes unopened array for empty medias * Feature #6996: add transformation to keyword performance stats * Documentation #6998: userguide: add info on how to generate rule-profiling * Feature #6999: output/json: enrich EVE w/ libmaxminddb geoip info * Bug #7000: pgsql: partially incorrect tx_id tracking * Optimization #7002: detect: move pseudo packet checks out of keyword Match funcs * Bug #7013: rust: build with rust 1.78 with slice::from_raw_parts now requiring the pointer to be non-null