# TBD To be determined -- place holder for tickets that are not prioritized/scheduled yet * Feature #121: Alert on domain name look up, capture traffic for corresponding IP * Feature #249: Configure host-os-policy from a file, like snorts host_attribute.xml * Feature #266: log http raw request for network forensic * Feature #273: IRC protocol detection support * Feature #276: Libcap support for dropping privileges * Feature #294: Limit inspection of a stream and/or rule... * Bug #317: Invalid Rules * Feature #328: Traceability and QA with regards to rules loaded * Feature #365: expose interface(unix socket command) to reset tcp connection * Bug #376: Windows - Failure when trying to get MTU * Feature #385: Configuration option to log all known (pcap) data for a stream when an alert fires * Feature #425: Inspect the effects of mixing threshold and detection filters etc.. * Feature #432: PCAP-NG support * Bug #437: filemagic / libmagic inconsistent between releases * Feature #448: dlp: md5sum based on part of files * Feature #465: benchmark runmode * Feature #473: pcap log: alert log with packet indexes * Bug #500: duplicate values in host-os-policy not detected * Feature #511: Port indepedent protocol identification (nDPI) * Feature #535: new keywords - time , day * Optimization #536: share ctx for filemd5 keyword if identical files are used * Feature #544: Live traffic decryption * Feature #547: libinjection -- sqli library * Optimization #548: Use bloomfilter for filemd5 * Optimization #551: Replace SCLogError by a counter for memory issue and other memcap * Optimization #569: display syntax requirement on keyword parsing error * Task #570: tracking: memory fragmentation * Optimization #573: reduce allocs in signature parsing * Feature #584: lua: expose file buffers * Documentation #595: document csum keywords * Feature #596: rule profiling: multiple outputs per run * Feature #609: Active Response in inline mode (like react in snort 2.9+) * Optimization #614: Rate limiting messages * Feature #659: Update IP reputation from unix socket. * Feature #682: Add DEP and ASLR to Windows Binary * Bug #705: http.log missing lots of requests under high traffic load * Bug #708: Flow vars issue in pcap file mode * Feature #716: configurable packet_stats.csv and packet_stats.log * Optimization #721: full nfq zero copy mode * Feature #728: Add support for OpenCL * Feature #745: Tunnel configuration * Bug #747: Reset async flag if stream is found to be non-async * Feature #776: rules: Add smtp_envelope and smtp_header keywords * Bug #778: ipv6 addr with nat64 notation * Feature #783: LuaJIT be able to return various messages for a single script. * Bug #786: Windows - yaml directory paths * Optimization #795: stream: use pool instead of direct SACK record allocs * Optimization #808: Support the new GSO-avoidance NFQ feature * Feature #816: TCP SACK: limits per stream * Feature #821: conditional logging: output steering * Feature #843: Custom http logging filter functionality * Bug #849: Not alerting on invalid http request Content-Length * Bug #868: Makefile[.in] doesn't use its own INSTALL variable definition * Feature #870: luajit: global vars * Feature #880: memcap http parser * Feature #902: VLAN host table support * Optimization #923: memcap value in suricata.yaml : erroring if config value is bigger than what is available * Bug #924: missing space between variable and value in suricata.yaml * Feature #933: add a IPv6 ( RFC2460 recommended order of EH )rule to decoder events rules * Feature #936: support tzsp protocol * Optimization #945: remove useless includes * Feature #960: persistent TCP resets * Bug #992: Different alerts reported when reading from pcap file with runmode=single and runmode=autofp * Feature #1002: Possible to disabling/bypassing a rule by a specific source ip and a destination ip? * Feature #1015: add chained content info to rule analysis * Feature #1025: seperate #ifdef UNITTEST code into their own files * Optimization #1046: replace pcre_get_substring with pcre_copy_substring * Bug #1083: pfring: valgrind: Syscall param socketcall.setsockopt(optval) points to uninitialised byte(s) * Bug #1084: pfring: valgrind: memory leak at exit in bpf filter * Optimization #1094: Special check for first character of buffer * Feature #1095: Integration of support for STIX-based indicators * Feature #1125: smtp: improve protocol detection * Feature #1132: set rpath for libs not in the default linker paths * Feature #1140: IP-Address white list implementation for IPS mode (without disable a rule global) * Bug #1152: Write to ipfw divert socket failed: Message too long * Optimization #1188: Don't use iface name in GetIfaceMaxHWHeaderLength * Feature #1191: EVE log does not support customformat * Feature #1194: Implement http_args keyword to match http arguments - query string or body * Feature #1215: journald logging support * Optimization #1222: Boyer Moore content not shared between same content * Documentation #1233: Documentation for each keyword in stats.log file. * Feature #1234: nfqueue: use mnl API * Feature #1239: Best effort TCP stack * Feature #1245: Add "drop-only" and "alert-only" option for pcap-log * Bug #1247: Using suppress in threshold.config does not prevent dropping * Feature #1250: protocol: Multipath TCP (mptcp) * Feature #1290: handle SIGHUP signal * Feature #1300: profiling: per flow recording of profiling data * Optimization #1313: All Free functions should correctly handle NULL pointers * Feature #1323: automated eve.json rotation * Feature #1348: OOBE -6- increasing max-pending-packets default value * Bug #1370: sctp fp on suricata engine * Feature #1380: JSON and Unified2 output "payload" does not contain full (or real in the case of Unified2) packets for session * Bug #1382: BPF not reflected in suricata.log when using pf-ring * Feature #1389: suppress by host * Bug #1390: suricatasc return empty iface-stat.pkts in IPS nfqueue mode * Bug #1399: Flowbits rules not always evaluated in necessary order * Bug #1412: byte_test checks before byte_extract happens in some cases * Bug #1457: Non-standard prefixes used for file size indication * Feature #1469: Use ISO 8601 date/time formats * Bug #1484: Remove BUG_ON(1) statements in the packet path * Feature #1489: Log a message when memcap limit is reached * Feature #1504: lua: better notification in verbose mode on script errors * Feature #1505: lua: show lua scripts during rule (re)loading * Bug #1526: Malformed encoded base64 packet in json logs * Feature #1541: multi-detect - vlan range mapping * Bug #1549: flow keywords rule parsing * Bug #1560: Newline in certificate subject name results in premature line break in TLS log * Feature #1566: ICMPv4 control channel detection * Feature #1571: Socket permissions setting in suricata.yaml * Feature #1590: lua: force file magic and md5 lookup from script * Bug #1593: Negative within error - works in snort * Optimization #1595: Suricata starts in known conditions of no data * Feature #1608: Add option to disable JSON escape slash * Feature #1662: Disable action / rule ordering option * Documentation #1691: Docs: Convert windows docs * Feature #1710: Unix socket: Send output to unix socket * Feature #1712: multitenancy: 'lite' tenants * Optimization #1718: Time stamp in Log files should be ISO 8601 format * Bug #1722: ip rules don't trigger under the context of 'flow:stateless' * Bug #1738: [ERRCODE: SC_ERR_MEM_ALLOC<1>] - Can not allocate fingerprint string - Suricata 2.0.11-1 * Feature #1741: flow: use capture methods flow hash * Optimization #1749: Log PACKET_DROP in inline mode for invalid states as well * Feature #1750: Set Suricata to listen to all network interfaces when using AF_PACKET * Feature #1752: Netmap for Windows * Bug #1754: Inconsistent behavior with 'only_stream' flow keyword * Feature #1766: TLS keyword expansion * Feature #1767: Support DTLS protocol * Bug #1770: Suricata takes very long time to start using hyperscan and large/custom detect settings * Bug #1772: Inconsistent number of alerts while reading a pcap - runmode single/autofp,unix-socket * Bug #1782: Unkown TLS's subject attributes * Feature #1783: Create Suricata buffers to expose L2, L3, and L4 headers to Lua scripts * Feature #1794: test suricata rules over unix-socket * Feature #1799: netmap: capture drop stats * Bug #1833: Transaction can be logged before stream reassembly and parsing are complete * Bug #1838: suricata 3.0* and 3.1 hang after heavy traffic w/ pfring zc (reproducible) * Feature #1872: add --list-decoder-protos or similar * Bug #1881: pcap logging out of order * Documentation #1892: rule docs should include example rules * Feature #1899: Detecting Malicious TCP Network Flows Based on Benford’s Law * Bug #1911: Commandline provided configuration values don't persist after initial startup * Bug #1918: Incorrect packet stats in pcap and pf_ring capture modes * Bug #1922: runmodes: memory leaks * Feature #1939: Introduce packet/byte counter in stats.log/json for local bypass * Feature #1950: allow configuration of file-store types * Feature #1954: runtime option/flag to disable hardware timestamp support * Feature #1956: Add option to re-initialise Lua output scripts * Documentation #1974: DNP3: document lua support * Bug #1976: ioctl warnings at startup and shutdown with dropped privileges * Feature #1977: get the os info from TCP HTTP fingerprint * Feature #1979: TCP/IP packets normalization/scrubbing * Bug #1981: luajit states fail to run with valgrind * Feature #1995: fast.log should show if packet has been dropped or rejected * Bug #2013: failure of TCP after DOS attack * Documentation #2016: doc: improve keywords self documentation * Feature #2021: doc: sha256 filesum extraction missing in documentation * Bug #2042: Difference protocol of MD5 rule will restart Suricata automatically * Feature #2055: Optionally logging on files.json - Not log every file, only certain files that are stored and extracted * Bug #2056: missing warning on a rule using within with one content keyword * Bug #2069: logging: payload may not represent traffic the generated alert (eve and unified2) * Bug #2091: nonexistent/misspelled custom fields accepted during parsing of suricata.yaml * Feature #2092: Improved support for xbits/hostbits - workers runmode * Bug #2094: luajit: SCFlowvarGet always returns null * Feature #2107: eve: rotate log output based on size * Feature #2115: Changing interfaces * Feature #2145: Relate directly flowid with certificate file * Feature #2147: fileinfo: sha1 hash not logged if state == TRUNCATED * Feature #2166: output: log only triggering buffers * Feature #2167: eve-ng * Feature #2174: Need a special keyword and functionality for ip address extraction from a content (html body for ex.) and comparing it to src,dst_ip/EXTERNAL,HOME_NET * Feature #2198: Extend the DNS parser to accept dns_response keyword in signatures * Feature #2213: file matching: allow generic file matching / store * Bug #2220: When running on a single-CPU machine, pcap processing takes a long time * Bug #2221: Suricata batch processing slowed down by 0.2s intervals * Feature #2227: more detailed output about number of threads created * Feature #2232: Allow Large value in suricata.yaml file * Feature #2233: Allow log for payload and packet only for defined sid * Bug #2249: rule with file keyword used with ip or tcp not seen as invalid * Bug #2257: rate_filter doesn't honor "timeout" if it is longer than "seconds" parameter * Feature #2262: Unix Socket Output Configurable Retries and Blocking * Documentation #2266: no documentation for file-store-waldo * Feature #2269: TLS: tls.version: allow negation or comparison * Feature #2273: engine analysis: enable analysis by default during startup * Feature #2277: netinfo: structured information about the network. Output hierarchical network tree in events * Task #2278: tracking: failing better * Feature #2280: http: rules that match both request and response * Feature #2281: tcp stream: simpler IDS handling of overlap evasions * Bug #2289: af-packet bpf filtering failed to select multiple vlan * Feature #2291: traffic-id: ruleset for traffic classification and bypass * Bug #2296: Unix Manager Should Not Use Conf Functions to Pass Information to source-pcap-file * Feature #2301: netflow: dump records at interval * Bug #2305: unified2 alerts not including xff ips using extra-data mode * Feature #2308: threshold/suppress by http_host * Feature #2310: lua: expose xbits * Task #2313: tracking: save & restore state when suricata restarts * Feature #2316: global memcap * Optimization #2317: rcu * Optimization #2321: yaml: clean up usage of lists * Bug #2337: give warning if permissions won't allow log reopen after dropping privs * Feature #2342: Write PCAP files directly to Unix Socket * Feature #2343: Add "flush" command to unix socket * Bug #2351: Suricata with alert-prelude option sending only one IDMEF message (not more). * Bug #2358: Inconsistent DNS/flows extracted from pcap * Feature #2371: list all available /exposed fields to lua * Bug #2373: unix domain socket owner stays root when priviledges dropped * Bug #2378: log rotation 'flag' should be atomic * Feature #2380: [discussion] deprecate: 'alert syslog' output * Bug #2393: One way TLS traffic not properly identified * Documentation #2404: Windows Installation Guide for Suricata bug * Feature #2409: Push signatures without reloading the entire set. * Feature #2410: Create a reset counter and track maximum number of parallel flows * Bug #2412: Suricatasc isn't showing or allowing pcap file continuous option * Bug #2413: Pcap Interrupt Keeps Pcap File Processing Interrupted * Bug #2423: Suricata 4.0.3 and Napatech crashing * Bug #2424: suri->userid (SCInstance) does not reflect correct uid if suricata is started as non-root * Feature #2426: tls: extend logging * Bug #2429: TCP-session and wrong alert timestamp * Bug #2434: memleak - possible/definite memleaks reported for libnss3 and pthread_create * Optimization #2460: Reduce timeout in unix-socket when multiple pcaps are enqueued * Bug #2462: memleak: gitmaster json dns logger - 4.1.0-dev (rev efdc592) * Documentation #2470: document content inspection in chunks * Bug #2477: 802.1ah & Untagged Traffic * Bug #2478: PCAP logging does not include 802.1q header when using af-packet * Bug #2479: http_cookie negation fails if no cookie in traffic * Feature #2487: Buffers for field/value pairs in http_uri and http_client_body * Feature #2488: HTML Parsing / Buffers * Bug #2494: Invalid Base64 payload for filemd5 alerts * Bug #2500: stored will always equal false in fileinfo events * Feature #2513: Suricata read the SSLProxy header * Feature #2519: XFF iprep support * Feature #2538: dsize keyword improvements * Feature #2569: multi-tenancy: allow mapping to 'device pair' in IPS mode * Bug #2581: content match fails with on large streams * Optimization #2582: document flags keyword * Optimization #2584: document tag keyword * Documentation #2585: document replace keyword * Optimization #2586: document flowvar keyword * Optimization #2587: document pktvar keyword * Documentation #2588: document hostbits keyword * Documentation #2589: document decode-event * Optimization #2590: document nfq_set_mark keyword * Optimization #2593: document pkt_data keyword * Optimization #2594: document dce keywords * Optimization #2595: document asn1 keyword * Optimization #2596: document engine-event keyword * Optimization #2597: document stream-event keyword * Optimization #2598: document l3_proto keyword * Optimization #2599: document base64 keywords * Feature #2613: stats: add xdp counters to stats * Bug #2614: filemagic: pdf filemagic match * Bug #2623: Missing http.status information in eve.log according to tcp packets. * Bug #2627: lua: load script from same location as rule file if not in default rule location * Feature #2628: Specify the flow direction in metadata sent by Suricata. * Feature #2648: store captured data into file * Bug #2656: Alerts not triggered under some conditions on traffic containing rule matches * Feature #2661: output the http-body-data to eve.json * Feature #2672: Split out DHCP parser to be reusable * Feature #2673: Split out DNS parser to be reusable * Feature #2674: Split out NFS parser to be reusable * Feature #2675: Split out SMB parser to be reusable * Bug #2680: eve output filetype:unix_dgram does not start a socket * Feature #2681: Reloading of categories file, IP reputation list during rule live reload * Task #2685: SuriCon 2018 brainstorm * Optimization #2687: current suricata.yaml is missing rotate-interval "example" * Documentation #2699: document all eve record types and fields * Feature #2700: ja3/ja3s functionality for IKEv2 * Feature #2701: flow: counter for allocations at runtime * Bug #2712: long wait time on exit - pcap read - unable to get all packet threads to process their packets in time * Feature #2713: protocol detection w/o protocol parsing * Bug #2718: pkts/drops counters discrepancy * Optimization #2725: stream/packet on wrong thread * Feature #2727: DCERPC UID to name mapping * Bug #2739: Incorrect detection of the jit support of libpcre * Feature #2746: Use Available Instruction Set Specialization (AVX2 and AVX512) in Hyperscan when available * Optimization #2750: document nfs-keywords * Feature #2755: vendor id / vid keyword to give rulesets unique sid ranges * Feature #2756: rules: input in json format * Feature #2757: improve protocol detection * Feature #2759: iprep: more granularity * Bug #2763: different number of events on exact same runs with asan and no asan builds * Feature #2764: dns logging v1 vs v2 * Feature #2767: Interception of network stack attacks * Feature #2771: MPLS over Vlan support * Feature #2772: Add MPLS labels to alert output * Task #2778: tracking: port app-layer parsers to Rust * Optimization #2780: Convert DNP3 from C to Rust * Optimization #2781: Convert ENIP from C to Rust * Bug #2807: DNS LUA Logging does not have any way to log NXDOMAIN * Bug #2814: suricatasc: hangs indefinitely and uses too much processing for pcap-file-continuos command * Bug #2815: race condition during file-magic initialization * Feature #2818: Napatech Bypass support * Bug #2858: app-layer-protocol:failed; doesn't match traffic with ALPROTO_UNKNOWN * Feature #2860: Suricata doesn't detect part of IKEv2 traffic * Bug #2861: Suricata rule sid:2224005 SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) not works * Feature #2871: lua: Exposing byte extract to script * Bug #2891: Empty rrname in DNS answer for non-recurse NS answers * Bug #2918: Unable to mmap, error Resource temporarily unavailable - err seems OS specific * Feature #2925: Support for SPB encapsulation * Bug #2928: alerts on icmp signatures in 4.0.x and 4.1.x * Feature #2931: Perform privdrop without libcap-ng support * Feature #2932: add batman-adv decode support * Bug #2933: Suricata 4.1.3 block flow * Bug #2934: VLAN tags stripped when saving pcap log * Feature #2935: Support for multiple-logger for drop eve-log * Feature #2939: Suricata enhancements - proposals * Bug #2954: Strange interaction with afpacket - high CPU usage and no packet processing * Feature #2957: Suricata x Moloch - protocol detection. Proposals for TLS/SSL * Bug #2960: valgrind gives 'Conditional jump or move depends on uninitialised value(s)' * Feature #2962: eve: log more IKEv2 fields * Bug #2973: the flow after match the rules * Task #2975: convert unittests to new FAIL/PASS API * Documentation #2976: review userguide from beginners point of view * Bug #2978: IRC traffic parsed by FTP * Optimization #2979: replace mime decoder with rust based implementation * Feature #2987: Suggestions for new keywords (streambits) * Bug #2988: redis fails sometimes to reload rules to suricata; restart of redis fixes * Feature #2996: Extend decode events and rules * Support #2998: Rules Reload doesn't work properly * Task #3016: No documentation for "endswith" keyword * Documentation #3018: No documentation for "flowvar" keyword * Documentation #3019: No documentation for "pktvar" keyword * Documentation #3022: No documentation for "nfq_set_mark" keyword * Documentation #3023: No documentation for "bsize" keyword * Documentation #3025: Missing docs for "http." keywords * Bug #3026: Windows MSI - add in service scripts * Documentation #3027: No documentation for "nfs" keywords * Documentation #3028: No documentation for "pkt_data" keyword * Documentation #3031: No documentation for "asn1" keyword * Documentation #3032: No documentation for "engine-event" keyword * Documentation #3033: No documentation for "stream-event" keyword * Documentation #3034: No documentation for "l3_proto" keyword * Documentation #3035: No docs for "base64_" keywords * Documentation #3036: No documentation for "template2" keyword * Support #3037: The rules detect order * Bug #3040: pcap: with -r pcap_open_offline failure does not lead to non-zero exit code * Bug #3041: snmp parsing error message * Feature #3042: stats: allow per second stats updates * Documentation #3046: Document each default value from the config file * Bug #3049: thread hangs in pfring mode * Bug #3065: tls_cert_XX keywords date format parsing error * Bug #3066: No documentation for hostbits * Bug #3071: coverity warning in tls wrt tainted scalars * Bug #3075: RX thread hang in pcap-file mode * Bug #3083: DROP rule with "noalert" * Bug #3087: Prelude output IDMEF message issue * Bug #3093: FTP logging needs suricata-verify tests * Bug #3095: default log dir not always honored - git master * Bug #3097: build for eBPF programs needs a way to specify Linux header location * Feature #3105: Add kafka output * Bug #3117: multiple valgrind reported warnings - 5.0.0-dev (9e126b210 2019-08-07) * Optimization #3127: Unable to set XDP on 'ens2f0': Invalid argument (-22) - Mellanox cards and Intel cards with jumbo frames * Bug #3146: scan-build warning for asn1 parser * Bug #3179: http_header_names not generating alerts * Documentation #3180: tracking: document all decoder and app-layer events * Documentation #3181: document http engine events * Bug #3191: When run suricata with pf_ring zc mode suricata did not try to connect redis. * Task #3195: tracking: rustify all input * Optimization #3206: improve int handling * Feature #3212: Prevent duplicate pcaps from being re-processed * Optimization #3213: improve rule parsing warnings * Bug #3220: ssl_version keyword negation (!) not working * Bug #3221: EBPFDeleteKey -- ERRCODE: SC_ERR_SYSCALL(50) * Documentation #3222: Configuring ipv6 * Bug #3238: rust compile fail on ppc64el * Feature #3243: POP3 Support * Feature #3244: IMAP Support * Feature #3245: Email extraction to separate folder * Feature #3246: Logging of Email body * Bug #3257: Lua PANIC: unprotected error in call to Lua API (stack overflow) * Feature #3260: SMTP Base64 Decoding of Message Body * Feature #3261: SMTP quoted-printable Decoding of Message Body * Documentation #3268: Add links to additional information at the wiki to the userguide * Feature #3271: Add keyword to determine flow based speed/bw * Documentation #3274: doc: some inconsistency between http docs keywords description * Feature #3290: use config vars everywhere * Task #3291: collect common mistakes rulewriters might run into * Task #3294: Test the maximum size for messages passed to the unix socket * Feature #3295: Unix socket: support to receive flow shunting information * Feature #3296: Include in the fileinfo if it was a duplicate * Feature #3298: Create a config flag in the DNS logger to limit events to only the ones in the custom field * Task #3299: Tracking: Add support for industrial protocol * Task #3300: Tracking: Add support for medical protocols * Task #3301: Research: Failover support within the current IPS implementation * Task #3302: Research: ruleset optimizations * Documentation #3303: Add a documentation about the used sid and gid ranges * Optimization #3304: generic way to register buffers for logging and detection * Optimization #3305: Tracking ticket: which parts of the engine should be dynamic * Task #3307: Research: evaluate future of lua support in Suricata * Bug #3309: xdp: some bypass stats/counters do not update properly * Feature #3310: ease suricata configuration with xdp * Feature #3311: Add better default suricata configuration for different traffic sizes and cpu/system architectures * Documentation #3313: Document 40Gbps IPS set up * Optimization #3314: rust: integrate log crate with suricata logging * Feature #3316: Unix socket: support dumping flow table * Feature #3317: rules: use rust for tokenizing rules * Task #3318: Research: NUMA awareness * Feature #3319: on 'wrong thread' reinject packets to correct thread * Feature #3321: Evaluate different encoders for eve-log * Optimization #3322: Use standard CRC32 for hash-like functions * Bug #3323: tracking: ipv6 evasions * Task #3329: Research: WASM as a Lua alternative and for dynamically loadable modules * Feature #3333: Research: Unwind panic's from Rust modules * Bug #3336: Suricata compilation on windows / mingw * Optimization #3337: Python is assumed to be installed in the same --prefix as suricata * Feature #3338: vxlan: log vni in eve * Bug #3348: Possible detection issue with VXLAN parser * Bug #3349: Suricata 5.0 crashes while rule reload * Bug #3353: xdp_filter segmentation fault util-ebpf.c:728 * Bug #3354: eve-log dns (possibly others) alerts miss metadata for all but first packet * Bug #3358: bypass_filter AFPBypassCallback Segmentation Fault * Bug #3359: suricata.log ownership not being set to run-as user/group * Bug #3370: Suricata 5.0.0 Crashes Intermittently * Bug #3371: 'suricatasc -c conf-get ...' returns outdated values after reloading suricata * Feature #3373: add init service file example script for Debian/Ubuntu * Feature #3383: nflog: use mnl api * Task #3392: Tracking: protocol detection evasions * Optimization #3544: Have small signature match context without allocation * Feature #3548: Support GTP(GPRS Tunnelling Protocol). * Task #3554: modbus: support GAP recovery * Bug #3617: Missing icmp netflow * Feature #3629: Publish the Suricata support Python libraries to PyPI (make pip installable) * Feature #3663: DNS: Parse and extract DNS NULL records * Feature #3675: Testimony support * Bug #3681: Rule reload causes segfault * Feature #3688: Re-implement fast_pattern:only; in some way * Bug #3692: delta calculations come up negative * Bug #3698: Incorrect max length of windivert filter * Bug #3728: ftp file extraction failure * Bug #3746: bsize needs to err upon non possible matching conditions (4.1.x) * Documentation #3751: Alert metadata JSON configs in suricata.yaml.in should match the RTD documentation * Optimization #3797: Filestore Setup Excess Directory Slash * Task #3803: Research: use nom-derive * Bug #3809: Thresholding file-store rule with flowbits saves empty file to disk * Task #3828: pfring support: remove in favor of (externally maintained) plugin * Optimization #3829: pcap source: Counters, counters and... counters * Optimization #3830: pcap source: PcapThreadVars and cache lines * Bug #3889: Support interfaces with MTU > 1500 * Feature #3894: Option "ttl" exclusive range behavior is non-intuitive * Bug #3900: After a completed rule reload, Suricata sometimes is stuck for 1h with `rs_nfs_state_get_tx` peak * Bug #4063: rdata field not included in DNS log for NS rrtype * Feature #4093: Extend stats log to print packet and byte rate on protocols * Task #4146: Research: Hand off packet streams on alerts * Feature #4147: Map rules to MITRE ATT&CK * Feature #4148: Research: SSH Support for additional protocol analysis * Feature #4149: Research: Dynamic datasets * Feature #4150: Profiling mode: Ticks used to generate an alert available? * Task #4151: Research: New protocol support * Feature #4175: dcerpc: higher level logging * Bug #4178: DNS Query triggers alert but no output in alert-debug.log * Bug #4214: Honor vlan: use-for-tracking in ebpf maps * Feature #4249: SS7 Protocol Support * Feature #4250: Diameter Protocol Support * Task #4252: SCTP: session tracking * Optimization #4318: app-layer: "close" all txs if protocol reaches error state * Feature #4325: xdp compile warnings on 5.4 kernels * Bug #4356: Napatech memory leaks * Bug #4357: Napatech memory corruption * Bug #4370: the latest release of Suricata V6.0.1 for Windows use high CPU * Task #4380: tracking: improvements to bits, ints, vars * Feature #4381: flowbits: warn if flowbit dependencies don't follow suricata inspection order * Feature #4398: support regex match and flowvars as keywords value * Bug #4426: XDP redirect cpu likely broken in 5.9 * Task #4431: libsuricata: Example showing libsuricata as a replacement for libnids (network grep) * Feature #4547: pcrexform not support tcp and other protocol * Feature #4573: add IPS drop total to eve log output * Feature #4649: Autonomous System Number (ASN) support similar to GeoIP * Documentation #4662: Add documentation section covering Suricata rule grammar * Task #4714: Improve unittests coverage for Suricata's application layers rust nom parsers * Task #4735: tracking: ubsan clean * Documentation #4743: Improve Suricata code documentation (C files) * Documentation #4768: DNS v2 EVE does not longer contain `dns.rdata` but it is still listed in the documentation * Feature #4775: lua: overhaul lua support * Bug #4843: IPv6 evasion : dos mld chiron * Bug #4844: IPv6 evasion : redir6 * Bug #4845: IPv6 evasion : parasite6 + dos new ipv6 + fake mldrouter6 advertise * Bug #4846: IPv6 evasion : flood + ndpexhaust26 * Bug #4874: FN when using stream_size with http proto and buffers * Bug #4875: FN when using flowbits and ftp protocol. * Bug #4916: af-packet: Sending packet failed on socket 20: Message too long * Bug #4940: ftp-data: protocol misclassification if the file begins with a protocol pattern * Feature #4951: decode: datalink type 276 not yet supported * Feature #4974: Log references to Eve * Feature #4985: quic: support frames * Bug #5012: Remove duplicate definition of constants between C and Rust * Documentation #5030: Documentation bugs for endswith, distance, within * Feature #5051: output/frames: allow tx logging to reference frames * Task #5052: unittest: create test for checking all app_proto registrations * Bug #5064: frames: duplicate alerts when no flow direction provided * Feature #5067: smb/dcerpc: Match dcerpc (over smb) requests before bind_ack * Feature #5069: smb: SMB keyword for match the smb command * Bug #5071: Suricata RAM usage never decreasing * Bug #5072: detect/ip_proto: inconsistent behavior when specifying protocol by string * Task #5074: rules: structured rule input * Optimization #5083: Proposal: new and compact rule parser for Suricata in Rust * Bug #5087: smb: file.name sticky buffer doesn't match all smb files * Optimization #5089: unifiy address range parsing * Feature #5128: Light weight packet profiling * Bug #5133: DCERPC: master - logs not created * Bug #5134: DCERPC: dcerpc.iface keyword not using fast pattern/mpm causes severe performance degradation * Bug #5135: DCERPC: dcerpc.iface keyword alert results differ from 5 vs 6/master * Bug #5140: nfs: NFS3/NFS2 procedure conflict * Feature #5152: Anomaly: CredSSP support addition to Suricata anomaly parsing * Bug #5160: smb: Misguiding keyword smb.named_pipe * Bug #5172: Napatech stream mismanagement following non-transient error * Bug #5176: False positive when negated content is far ahead of matching content. * Documentation #5182: userguide: better document rule keywords * Bug #5185: MIME URL extraction missing. * Task #5195: tracking: give more insight into detection pipeline * Bug #5199: Setting flow memcap too low tries to allocate the whole system memory * Bug #5204: Memory leak caused by ippair processing * Feature #5206: Buffer Dump Utility * Feature #5209: Add "status" mode to Suricata's socket command interface * Documentation #5225: testing/fuzz: improve documentation on how to fuzz suricata * Feature #5245: allow fast_pattern on base64_data strings * Feature #5247: Applayer Detect protocol only one direction : RTSP protocol * Bug #5255: Reported pcap_filename in alerts are not correct * Task #5256: rust: see if we can reduce number of crate deps * Task #5257: ci: cargo audit job * Bug #5263: Flow is stuck if there is no traffic * Bug #5264: random value for ja3 and ja3s hashes during the next scan * Documentation #5267: Meaning of insert_list_fail counter * Bug #5287: (Maybe) issues in FTP decoder, Suricata stop analyzing traffic * Bug #5290: pip install failure * Bug #5292: cppcheck: "portability" warnings: using void pointers in calculations * Bug #5293: cppcheck: "portability" warnings: non thread-safe functions * Bug #5332: Smb2 can not store files! * Documentation #5359: userguide: improve documentation on (main) EVE fields * Bug #5363: Memory leak in rust SMB file tracker * Feature #5365: Limit rust 'filetracker' memory in configuration * Documentation #5367: byte_test: all examples in doc missing a required argument * Feature #5372: Add support for encrypted traffic analysis * Feature #5405: Make suricata point to where to report a bug * Bug #5406: HTTP Req and resp correlation incorrect * Bug #5407: suricatasc runtime error * Bug #5432: events: PACKET_RECYCLE does not reset event_last_logged (5.0.x backport) * Task #5433: tracking: reduce number of public data structures * Optimization #5434: app-layer: fix AppLayerParserGetTx (and friends) param confusion posibilities * Feature #5440: multiple stats EVE logs with different intervals * Bug #5445: RX thread hang in pcap-file mode * Feature #5450: Rule keyword for non midstream flows * Bug #5451: Non-Deterministic Behavior with HTTPS Checksum Verification * Optimization #5453: af-packet ips: floods packets that should be learned * Task #5460: eol: include EOL dates in a per branch file in the repo * Feature #5461: eve: Use threaded output by default * Bug #5462: IPS bridge mode -- warn/error if there's an IP address associated with any monitoring interface * Feature #5469: rules: expose per flow stream.midstream setting to the rule language * Feature #5470: reject: allow reject dev to be specified in the yaml * Bug #5480: Cannot compile Suricata 6.0.6 with PF_RING support * Documentation #5484: userguide: explain content modifiers usage with regards to position usage in the rule * Documentation #5485: userguide: explain that the http.header_names buffer is normalized * Documentation #5487: userguide: add explanation on how depth of inspection affects rules * Bug #5490: Applayer Detect protocol only one direction - NFS * Bug #5491: SMTP response 221 appears to generate an SMTP invalid response alert * Bug #5492: Applayer Detect protocol only one direction - Kerberos * Feature #5499: PCAP-over-IP client * Bug #5502: Suricata hangs and then exits when the first PCAP processed has 0 packets * Documentation #5514: userguide: document exception policy from an extreme profiling and tuning perspective * Bug #5520: If alert status code is 200, some fields are missing * Optimization #5522: decode: optional optimized tunnel packet handling * Documentation #5523: userguide: document the tcp-stream keyword * Documentation #5537: devguide: add section/chapter about how [capture] bypassing works for Suricata * Bug #5562: rule_perf.log with multiple sort orders is invalid JSON * Bug #5576: Dataset is setting data despite the signature being a complete match * Documentation #5591: devguide: bring section about OpenBSD Installation from git into devguide * Task #5593: tunnel: review locking logic * Task #5611: tracking: counters: improve efficiency of stats tracking * Task #5613: counters: reduce size of data structure * Task #5614: counters: compress id space in a thread * Task #5615: counters: avoid duplicate work * Feature #5618: setup-app-layer: add option to choose TCP/UDP protocol * Documentation #5620: doc: add vectorscan instructions * Optimization #5634: Unify ValidateCallback for MD5-like keywords * Feature #5639: Allow dataset to match on extracted domain * Feature #5640: frames: tx frames * Feature #5641: dns: frame based keywords for "raw" fields in requests and responses * Optimization #5643: pcap: rule based conditional pcap logging * Task #5645: tracking: elephant flow detection * Feature #5646: rules: allow matching on flow pkts and bytes * Feature #5647: rules: mark flow as elephant flow * Feature #5648: flowworker: heuristic to see how busy a thread is with elephant flows * Feature #5649: eve.flow: add thread id(s) processing a flow to the record * Feature #5650: unix socket: query threads about most recent elephant flows * Bug #5652: af-packet: remove emergency flush from yaml * Feature #5655: host: make memuse and memcap reached counters for host table * Bug #5656: rules: engine analysis gives false positive warning * Feature #5657: byte_test: allow comparison with static value * Documentation #5660: userguide: add (more) documentation for the GRE protocol * Documentation #5662: Review/Update Hyperscan Documentation * Task #5666: rules: help to visualize how a Suricata rule matches (different contents/offsets) * Feature #5668: eve: optionally add rule fast_pattern * Documentation #5669: Better link together the bits keywords * Feature #5670: Support wide strings somehow * Optimization #5671: Better way to decide on flows memcap and timeouts * Feature #5673: capture: option to decapsulate everything first * Feature #5674: Support layered protocols * Feature #5675: protocol: MMS SCADA support * Feature #5676: ASN1 Spec to Rust nom generator * Feature #5677: protocol: BGP support * Task #5678: tracking: Parse protocols that are not over TCP/UDP * Optimization #5679: tracking: useful log output * Optimization #5680: eve-log: reduce duplication of info * Feature #5681: datasets: add more transform layers to match on domains * Task #5685: tracking: active directory protocols support * Feature #5687: eve: "auth" and/or "auth_fail" log * Bug #5704: Filestore is not working if landlock is enabled * Feature #5705: Add Wireguard parser * Bug #5713: TLSv1 not logged into tls events. * Feature #5716: rdp: add app-layer frame support * Bug #5721: http2: logging settings do not match what is seen in the RFC * Documentation #5724: Why does reject-dev option work only in Sniff Mode * Feature #5727: krb: add frame support * Feature #5728: modbus: add frame support * Feature #5729: bittorrent-dht: add frame support * Feature #5730: dhcp: add frame support * Feature #5732: ntp: add frame support * Feature #5733: snmp: add frame support * Feature #5734: ssh: add frame support * Bug #5739: htp: handle alloc failure for user data * Feature #5743: http2: add frame support * Feature #5745: exceptions: allow setting via unix-socket * Bug #5748: iprep/ipv6: memory leak on same input in different forms * Bug #5750: Spurious "SURICATA DNP3 Length too small" error and failed reassembly * Bug #5751: DNP3 preprocessor incorrectly parses READ requests * Feature #5752: Proposed new DNP3 keywords and operators * Bug #5754: I use the file-extraction to store the files transferred by HTTP2, but fileinfo does not have the filename field. * Optimization #5755: datasets: ipv4.src/dst, ip.src/dst check rules should be ip-only * Bug #5756: datasets: ipv4.src/dst, ip.src/dst check rules match on pseudo packets * Bug #5758: tls: iOS session with TCP fastopen and TLS 1.3 gives invalid record warning * Feature #5764: logging: add a format string for a more standard log format * Bug #5766: Misparsing of DNP3 g70v1 objects and failed reassembly * Bug #5767: Dangling pointer in SSL Parser * Bug #5771: xdp: Flows with nested VLANs are not bypassed by XDP filter * Documentation #5772: docs: A wrong rule matching example provided by the official doc * Feature #5776: PCRE fast_patterns via hyperscan * Bug #5778: ftp fileinfo and extraction seem not to trigger when it should * Bug #5788: files: output modifies file state * Feature #5798: New transformation: dropbytes * Documentation #5837: Unify documentation of command-line parameters * Documentation #5841: tracker: bring documentation from old wiki on redmine to readthedocs guides * Security #5851: Rust: handle allocation failures * Bug #5864: radix tree do not support "0.0.0.0/0 ::/0" * Optimization #5865: Remove dual tracking mechanisms in output loggers * Bug #5871: ips/af-packet: doesn't work between 2 virtio devices * Feature #5872: file structure awareness - precise identification of fields in file structs * Bug #5880: pcap recursive mode not working as expected * Task #5892: config: remove requirement for suricata.yaml to start with %YAML 1.1 * Task #5893: tracking: deep file awareness and inspection * Feature #5894: file: file classification keyword * Optimization #5902: detect: "alert dcerpc" sig sets up smb inspect engines * Feature #5913: rfb: add more record types * Bug #5914: rust: compile error related to nom-derive-impl / syn 2.0 * Bug #5938: for syslog output, the setting identity is not properly set * Bug #5941: DNS rules not matching when traffic is over tcp * Bug #5954: redis: output crash on Mac * Feature #5956: Report traffic with missing VLAN tag * Documentation #5995: userguide: ips upgrade guide * Feature #6004: Add retry option to redis outputs using a socket instead of IP * Optimization #6011: Research potential performance penalty with filestore feature * Feature #6051: app-layer: dhcpv6 support * Documentation #6059: docs: fix build failure - urllib3 issue * Optimization #6065: warning _FORTIFY_SOURCE requires compiling with optimization * Feature #6067: Add field to track SID of Flowbit Matches * Documentation #6071: eve/schema: add descriptions to the schema * Documentation #6072: eve/schema: document smb * Documentation #6073: eve/schema: document dns * Documentation #6074: eve/schema: document nfs * Documentation #6075: eve/schema: document http * Documentation #6077: eve/schema: document sip * Bug #6088: xdp/ebpf: updated shipped bpf files to be supported by libbpf v1.0 and higher * Bug #6090: eve/alert: missing dcerpc metadata * Bug #6091: eve/alert: missing dhcp metadata * Documentation #6096: eve/app-layer: generate example eve-log for each protocol * Documentation #6097: eve/dhcp: generate example dhcp output * Documentation #6098: eve/dns: generate example dns output * Feature #6101: icap: app-layer protocol support * Feature #6102: Translate NAT64 ranges (also custom ranges) * Bug #6108: http: leading gap in request data leads to invalid next request * Bug #6110: Bad Checksum 0xffff - ICMPv4 & ICMPv6 * Optimization #6126: compiling with outdated cbindgen does not have a corresponding err msg * Documentation #6133: tracking: security deployment documentation * Documentation #6150: doc: improve the file-store documentation for the eve output and the dedicated section * Bug #6154: Conditional pcap-log fails to log packets for some alerts when using “pcap-file-continuous” flag * Optimization #6160: filestore: decide on the impact of eve output over the global filestore settings * Bug #6161: file-store: missing hash on TRUNCATED files * Feature #6167: Stream retransmissions stats counters * Bug #6173: http: loss of backward compatibility in HTTP logs from v6 to v7 * Bug #6175: eve/alert: deprecated fields can have unexpected side affects * Bug #6176: Multi-tenancy: Tenant selector to tenant ID mapping is o(n) * Bug #6177: detect-engine: stream match for rules is interdependent * Bug #6178: dns: erroneous app_proto settings in rule analysis * Optimization #6190: flow_spare_pool_block_size is a constant defined as a variable * Bug #6197: stream: additional alerts being seen once sigs are added * Feature #6198: Feature Request: Add "SMTP" keywords for use in rules * Feature #6200: output: suricata.yaml dump-all-headers applied for alerts * Bug #6204: pcre: "Conditional jump or move depends on uninitialised value(s)" in valgrind * Feature #6206: Investigate a more intuitive use of the timestamp field in traffic/metadata events * Feature #6214: mirror ruleset reload commands for tenants in suricata socket control * Feature #6216: http: HHHash support * Bug #6218: xbits inconsistent behavior when running a pcap file. * Optimization #6221: build: check for compiler warnings/messages * Bug #6238: AF-XDP crash when closing Suricata while receiving traffic * Bug #6239: ASAN: double free when multi-tenancy enabled and configured * Optimization #6246: initialization: do config validation before runtime * Bug #6250: libbpf: elf: legacy map definitions in 'maps' section are not supported by libbpf v1.0+ * Feature #6251: AF-XDP ability to bind custom program * Bug #6257: pcap: hang at shutdown for some interfaces * Optimization #6264: mpm/ac-ks: reduce stack usage * Feature #6268: Recognize related ICMP request/response pairs * Optimization #6277: Attach XDP filter with libxdp * Bug #6283: FTP parsing yields in some cases smtp and http event types * Task #6287: suricatasc: rewrite in rust * Documentation #6288: eve/schema: generate tables of data for app-layer protocols * Feature #6295: output: add stream-size to flow output * Feature #6296: smtp: BDAT chunking support incl MIME parsing * Bug #6307: Packet loss or client connection drop causes delayed detection on HTTP rules * Bug #6365: Suricata AF_XDP not using libxdp XDP dispatcher and can't co-exist with another XDP program * Bug #6372: napatech: Can produce invalid microsecond values. * Bug #6373: main/startup: support sentinel file signal for initial rule processing completion * Optimization #6375: detect: merge urilen and bsize implementations * Bug #6384: Configure seems failed to persistently detect/remember cbindgen location * Bug #6385: NFQ: Dereference of pointer that potentially can be null * Documentation #6386: Add tls.cert_chain_len Documentation * Feature #6409: Lua support for HTTP/2 * Bug #6416: Suricata not using Myricom SNF driver in a performant way * Feature #6417: Allow base64_decode/base64_data to consume transforms * Bug #6440: TLS logging and maybe more not working on tagged traffic * Task #6443: Suricon 2023 brainstorm * Task #6447: readthedocs: CI integration * Feature #6453: Support DNS over TLS * Feature #6456: output: binary logging * Feature #6457: eve: configurable list of fields in output * Bug #6458: eve/http: discrepancy in http events and http objects logged in alerts * Bug #6461: ics protocol: bacnet * Feature #6462: IEC104 Protocol Support * Task #6463: eve/output: investigate how to track coverage / parity * Feature #6464: protocol: profibus * Feature #6465: multi-tenant: support vxlan as a selector * Feature #6466: multi-tenant: support mpls as a selector * Feature #6467: flow tracking: add other parameters to flow tracking * Feature #6468: flow-tracking: add geneve as a flow tracking parameter * Feature #6469: flow-tracking: add erspan as a flow tracking parameter * Feature #6470: flow-tracking: add vxlan as a flow tracking parameter * Feature #6471: flow-tracking: add mpls as a tracking parameter * Feature #6472: HTTP/3 support * Task #6473: detect: smtp keyword coverage * Task #6475: detect: smtp.subject keyword * Task #6476: ftp: parity of logging and detection buffers * Feature #6482: Deployment: detect if capture is good enough * Bug #6490: Rule profiling log appends path to log directory * Task #6491: multi-tenant: add selectors * Documentation #6548: http.stat_msg - note about HTTP/2 behavior * Bug #6559: Signatures starting with space have invalid diagnosis * Bug #6560: Suricata can’t output response when meet a tcp retransmission after a response * Bug #6565: coverity: new issues after updating to 2023.6.2 * Bug #6567: anomaly and file info logs discrepancy results between versions * Optimization #6583: rust: get rid of unused final zeroes in protocol detection patterns * Bug #6587: DPDK 'tap' mode doesn't alert on TCP protocol rules * Bug #6588: DPDK 'ips' mode doesn't pass TCP traffic * Bug #6591: protodetect: ftp parsed as smtp * Bug #6611: Fake Tunnels In Fragmented IP Packets * Bug #6623: Suricata BPF filter differs from tcpdump (tcpdump behaviour seems correct) * Feature #6625: Apply netflow per network * Optimization #6632: Do not have any warning with -Wsign-conversion * Bug #6634: tls: Invalid ja3 due to double client hello * Feature #6649: Add a keyword to match on raw data within headers especially for protocols without a dedicated parser * Feature #6650: dns: support extended response/error codes * Feature #6651: quic: detect on non-standard ports * Bug #6655: invalid distance/within does not produce an error * Feature #6683: stats: add packet time elapsed indicator * Bug #6692: Have keywords export JSON dump function for engine analysis * Feature #6693: byte_jump - add support for bitmask option * Documentation #6694: placement of bitmask note about right shift behavior * Feature #6701: Auto-bypass optimization * Bug #6713: Weak ciphers event in Kerberos protocol * Bug #6716: fast.log enabled when running specifically without rules * Optimization #6720: flow: explore how red black trees compare to linked list in hash buckets * Optimization #6721: hash tables: explore how red black trees compare to linked list in hash buckets * Bug #6722: dpdk: inconsistent stats reporting * Feature #6723: detect: review existing keywords for usage of enumerations * Feature #6724: detect: review existing keywords for usage of bitflags * Optimization #6730: threading: warn if cpu affinity assigns more than one thread to a core * Bug #6731: eBPF XDP program is not attached when pinned-maps is true * Bug #6735: setting variables with --set leads to segfault * Task #6752: libsuricata: don't include autoconf.h from other includes * Bug #6754: libsuricata: restructure directory and files to allow for include files to be name spaced * Bug #6779: http.header_names behavior when encountering duplicate header names * Bug #6782: Crasher in HTTP chunked / StreamingBuffer * Optimization #6786: util-rohash.c : make code cleaner to make CodeQL happier * Bug #6789: Dns remarks without showing dns name * Bug #6793: Unit tests failed to build on Solaris * Feature #6794: Tie signature to live device in IPS mode * Feature #6802: Support Domain rollup using existing dataset library * Feature #6803: Add Support for Dataset Metadata * Bug #6804: ci: add test for non-bundled htp * Feature #6807: Support the use of variables within transforms * Feature #6808: Quantify how a Suricata rule matches against a PCAP * Bug #6815: util/decode-mime: Possible derefernce of nullptr * Feature #6823: SC_WARN_POOR_RULE on to_lowercase/to_uppercase transformation with non-possible matching content * Documentation #6824: doc: Document every parameter of the configure script * Bug #6825: af-packet: possible free of unallocated memory * Bug #6826: app-layer/htp: Possible dereference of null in HTPCallbackRequestLine * Feature #6831: support extraction of bytes of non-numeric values * Feature #6832: Support BPFs for filtering pcap output * Task #6851: eve/syslog: stats message too long for many default configurations * Feature #6853: Support of variables from byte_math / byte_extract in bsize / dsize comparisons * Optimization #6855: src: var code cleanups * Feature #6857: iprep: support seeing if rule is part of a rep list * Task #6858: libsuricata: hook for flow expectation creation * Bug #6860: eve/alert: multiple issues for ICMP * Bug #6874: libhtp appears to stop parsing HTTP client requests mid-pcap - /libhtp::request_uri_not_seen * Feature #6885: references: new "wayback" reference and update others * Bug #6886: HTTP Chunk Length Value disappearing * Bug #6894: bsize validation FP on content negation with hex encoded 0d 0a * Feature #6914: support inspecting http.uri or http.request_body * Feature #6916: decoding : add support of IEEE 802.2, 802.3 frames * Bug #6920: FR, FM and Global stats gone after 7.0.4 * Feature #6922: Have a way to manually request decompression/inflate if headers are not present * Documentation #6924: replicate http.cookie behavior from "Differences From Snort" to http.cookie * Feature #6925: multi-buffer support for HTTP cookies * Feature #6926: new buffer that includes HTTP headers and the start of HTTP body * Optimization #6928: source-netmap: improve netmap receive loop packet processing performance * Bug #6933: dpdk: landlock support * Bug #6934: UBSAN: null pointer passed as argument to memcpy in unit test * Bug #6954: eve: packet field packet_info.linktype is non-portable * Bug #6963: rule-reload: potential memory leak in multiple rule reloads * Task #6968: decode: unify decode thread module with receive thread module * Bug #6969: Dataset lookup function is not working with ip type * Documentation #6982: offset: no documentation that offset can be a name * Documentation #6991: add note about case sensitivity to flowbits docs * Documentation #6992: Document normalization of header name/value separator * Feature #6993: rule macros for commonly used logic in rules * Feature #6995: raw option for http.request/response_header * Bug #6997: Socket mode hard fail with pcap logging mode and multiple link layer pcap file * Bug #7003: Suspected memory leak after Suricata binary is updated or upgraded * Bug #7005: Porting changes for running Suricata on Solaris * Bug #7006: spm: boyermoore implementation appears to underperforming * Bug #7008: Static build failure on Linux since * Bug #7009: dpdk: compile warning ‘rte_eth_bond_members_get’ is deprecated * Feature #7011: DNS additional section parsing and logging * Feature #7012: Add dns.response sticky buffer * Bug #7016: tls: hello retry request handling issues