Dependencies:

• Libdaq v3.0.25
• LibML v2.0.0
• If you are using rules from snort.org, please use latest Talos_lightSPD package from version 2026-02-02-001 onward (due to API bump in 3.11.0.0)

Changes in this release since 3.10.2.0:

• trace: implemented multi-logging feature to support new lua configuration

Changes in this release since 3.11.0.0:

• appid: address FIXIT comments in detector plugins
• appid: address FIXIT comments in service plugins
• appid: detect ssl service during midstream
• appid: inspect server port and client port during midstream; add support for NFSv4.1
• appid: refine ssh event id handling
• appid: remove assertion while processing dns pkt
• dce_rpc: fix DCE/RPC context id list parsing out-of-bounds read
• dns: clear insert flag for DoH/DoQ
• dns: fix heap-buffer-overflow in DNS NSEC resource record decoder
• doc: fix typo. Thanks to Nils Rennebarth for reporting the issue
• file_api: add data about buffers to perf-monitor output
• file_api: add packet tracer logs
• file_api: support fields for extractor
• flow: save the flow_id from the DAQ header struct of a Packet in the Flow object when it is allocated for a new flow
• ftp_telnet: clear stale pointers in FTP_CLIENT_REQ to prevent UAF
• ftp_telnet: fix 1-byte heap-buffer-overflow in telnet normalization
• ftp_telnet: fix off-by-one OOB read in CopyField
• ftp_telnet: fix out-of-bounds read vulnerabilities in normalize_telnet function
• ftp_telnet: improve performance in TelnetSplitter
• http_inspect: add decoded URI buffer with shared decoded path
• http_inspect: add http_decoded_uri ips option
• imap: fix out-of-bounds read in body length parsing
• imap: replace memrchr with cross-platform snort_memrchr
• kerberos: add config to set failed_login flag in kerberos client detector
• mms: fix session spdu params OOB read
• mms: guard against case where p->flow is null and dereference causes a crash
• mp_dbus: lockless event ring
• mp_unix_transport: verify connector message allocation
• output: add coverity annotations for thread-safe startup/shutdown functions
• perf_mon: coverity fixes
• pub_sub: add get_content_length method to HttpEvent
• rna: support for deviceinfo fingerprint and events processing
• shadowtraffic: enhance logging to system support trace
• shadowtraffic: Fix shadow traffic detection failing after config reload and crash during deploy
• socks: socks inspector
• src: fix copyright
• ssl: alert on multiple chello certificate records
• ssl: populate inspector in flow data
• ssl: prevent caching zero size ssl data
• stream: include the flow_id flow data output of the dump_flows command
• stream: skip check for held packet retransmit if current packet is not a wire packet
• stream_tcp: clear packet action flags after meta ACK processing to ensure parent packet processing is not affected
• stream_tcp: default to overwrite upon zwp mismatch instead of session block
• stream_tcp: reject SYNs with different sequence numbers than first seen SYN
• test: fix comparison for pointers in check tests
• wizard: additional coverage of unit tests
• wizard: improve MMS curse against fragmented traffic
• wizard: improve MMS presentation context search logic

Dependencies:

• Libdaq v3.0.24
• LibML v2.0.0

Changes in this release since 3.10.1.0:

• appid: configurable midstream service discovery
• appid: prefer QUIC client appid over SSL
• appid: prevent out-of-bounds read in bootp option parsing
• appid: prevent out-of-bounds read in sslv2 server-hello detection
• control: refactor connection ownership model and improve thread safety
• extractor: avoid reporting default values for missing SSL fields
• file_api: coverity fix
• flow: refactor dump_flows command to dump flow state in binary format
• mime: fix compile issues
• react: block flow when packets are not reset candidates
• show_flows: implement utility program to convert dump_flows binary files to text Flow state data for each flow
• smtp: handle split CRLF in multi-line response parsing
• ssl: ssl client hello event is published with empty hostname

Dependencies:

• Libdaq v3.0.24
• LibML v2.0.0

Changes in this release since 3.10.0.0:

• alert_fast: ensure call_once definition doesn't collide in std vs glibc, thanks to krag on GitHub for suggesting this fix
• alert_json: add support for logging appid, thanks to ssam18 on GitHub for suggesting this change
• appid: add check to avoid setting brute force state for pending sessions that are pruned
• appid: allow out-of-order packet inspection in third-party engine
• appid: check for Lua table errors during initialization and cleanup
• appid: enable out-of-order inspection by default
• appid: fix client process regex mapping logic
• appid: fix eve process handler event debug logging
• appid: fix setting global ssh ignore flag
• appid: fix size check in TFTP service detector
• appid: mDNS TXT records parsing and deviceinfo event generation
• appid: prevent multiple out-of-bounds reads in ssl
• build: address compilation warnings
• build: fix Coverity warnings in related components
• cmake: fix pkg-config path for libdir, thanks to brianmcgillion on GitHub for submitting a similar fix
• decoder: adding encode function for TransbridgeCodec
• dns: add fix infinite recursion vulnerability
• file: use new EVP functions rather than deprecated SHA functions
• flow: add logs to show different ways a flow can fail to create
• ftp_telnet: fix coverity errors and improve cmd_len configurability
• ftp_telnet: fix ftp_cmd_pipe_index handling
• ftp_telnet: Handle malformed traffic in ftp to generate alert
• hash: update hashes to use new EVP functions, thanks to
• http_inspect: add urlencoded to content-type list
• http_inspect: fix coverity error
• iec104: fix IEC 104 SQ0 bounds checks by removing duplicate asdu_size_map entries and using IO_GROUP sizes, preventing out-of-bounds reads
• iec104: validate Type I length to prevent ASDU out-of-bounds read
• ips_options: fix cursor position for byte_extract
• ips_options: reset PCRE rule counts on new configuration loaded
• main: update dioctl daqSnort latency common change
• mime: add unit tests for data fitting memory limit
• mime: add unit tests for data over memory limit
• mime: add unit tests for file logging
• mime: fix mime boundary parsing
• mime: ignore field collection if not configured
• mime: implement content parsing of multipart/form_data
• mime: improve form-data collection for incomplete boundaries
• mime: leave room for null-character in case of size limit hit
• mime: remove unused forward-declaration
• mime: rename class field to comply with the style
• mime: return error code if cannot add headers for logging
• pub_sub: add is_urlencoded method
• sip: fix out-of-bounds reads in sip_parse_sdp_m
• smb,dlp: update filename,filesize of FileInfo handling to enable dlp evaluation for repeated txns
• smtp: usage of config cmds
• snort2lua: fix failure in converting patterns containing commas
• snort_ml: enable client body scanning by default
• snort_ml: scan multipart form data
• ssl: free certificate data if certificate length is 0
• ssl: tls client hello check out of bounds fix
• unified2: use proper API for obtaining VLAN ID from packet

Dependencies:

• Libdaq v3.0.23
• LibML v2.0.0

Changes in this release since 3.9.7.0:

• appid: ftp parsing bounds check
• appid: ignore empty strings in ssl lookup api
• dce_rpc: changed copy to move
• dns: add counters for different DNS flavors
• extractor: add quic extractor
• extractor: fix cppcheck errors
• file_api: copy cacheable property to new context from cached context and use filecontext from cache, only if the entry is marked as cacheable
• http_inspect: rename request and response buffers
• ips_options: make pcre match data thread specific
• main: Retry queue timeout option added
• mp_data_bus: unsubscribe API
• opcua: adding support for opcua
• opcua: inspector documentation
• packet_io: changes in active_packet_trace_test
• reload: make proc_stats thread_local
• ssh: support fields for extractor

Dependencies:

• Libdaq v3.0.22
• LibML v2.0.0

Changes in this release since 3.9.6.0

• appid: add multi-stream support for DNS
• appid: fix high inspected packets count
• appid: fix printf args
• appid: fix ssh service detection with dropped packets
• appid, http_inspect, dns: add support for DNS over HTTPS and DNS over QUIC
• appid: ignore arcserve so dcerpc protocol is used when syncing to flow service
• appid: more restrictive checks for DNS client detection
• appid: SNI and CNAME patterns matching fix
• appid: solve coverity warnings
• appid: suppress false positive coverity warning
• build: only enable libml for supported versions
• codec: fix byte math, codec coverity issues
• dce_rpc: checking out of bounds
• detection_engine: use const where possible
• filters: resolve lock issues, 2k38 issues in rate_filter and sfthd
• flow: new pegs and packet tracer log for flow prune
• ha: guard against negative shift
• hash: add FNV-1a hash
• http_inspect: add waf buffers
• http_inspect: partial inpection on start line
• imap: parse_command OOB fix
• js_norm: prevent memory leak when temp buffer was processing
• log: increase max length of LogMessage output.
• memory: resolve race condition on global stats
• mp_data_bus: fixing coverity issues
• perf_monitor: don't decrement index if already zero
• perf_monitor: fix minor issue with int overflow
• pop: fixing OOB in pop_paf search_for_command
• rna: use std::move on RnaTracker to move instead of copying
• s7commplus: out of bounds check during decode
• sfthd: fix issues with printf type specifier, cppcheck issues
• snort2lua: use std::move where possible
• snort_ml: add mpse and lru cache
• ssl: SSL extractor event
• stream: add additional lock/unlock when we do extra_data_log
• stream, loggers: use std::move where possible
• stream: remove lock on extra_data_log as it is only changed at Analyzer startup
• stream_tcp: copy all layers from original packet during pseudo packet creation
• stream_tcp: enhance rst validation to follow RFC 5961 recommendations

Dependencies:

• Libdaq v3.0.21
• LibML v2.0.0

Changes in this release since 3.9.5.0

• actions: fix integer underflow in ips_actions pegcount aggregation
• appid: add setUserDetectorDataItem lua detector API
• appid: fixed crash in stats manager
• appid: fix http content processing
• appid: fixing loop inside nntp validate data
• appid: retain the shadow traffic status after detector reload
• appid: standardize variable types in user data map unit test
• codecs: fix encode for pppoe and ppp
• control: fix potential buffer overrun by properly checking return of vsnprintf.
• dce_rpc: clear rule options before freeing the buffer
• dce-rpc: proper proto-bits not set in DCE2_GetRpkt which causes assertion fail in u2 logger
• dce_rpc: reassembling out of bounds packets
• decoder: improved decoding fails error message on tracer
• decompress: added check for mini_fat_persector to not to be zero
• decompress: fixed VBA decompression unhandled mem alloc exception
• file_api: file cache sharing to use ref count for file inspector
• file_api: set file size when file size is middle and data flushed
• flow: continue retrying when the retry processing is still pending
• host_tracker: acquire lock on host tracker cache before read access of member variables
• host_tracker: iterate over network protocol vectors with reverse iterators instead of while loop
• http_inspect,pub_sub: provide an API in HttpEvent to find whether the HTTP response is using a supported encoding type.
• log: use batched logger for all kinds of log messages in prod when log_buffer config enabled
• main: add message when unable to set affinity
• memory: combine main and first pkt thread memory stats; resolve race condition
• module_manager: use std::move to improve performance when assigning string variables
• pub_sub: add quic logging events
• s7comm: added stream splitter abort checks
• stream: do not clear a session on a rebuilt packet
• stream_tcp: do not generate established event on RST if 3whs is not complete
• trace: print n-tuple for other packet types with IP layer set

Dependencies:

• Libdaq v3.0.21
• LibML v2.0.0

Changes in this release since 3.9.3.0 (3.9.4.0 was an internal tracking tag. No new commits between 3.9.3.0 and 3.9.4.0):

• appid: first packet API fixes for using asd instead of odp
• appid: fix multiple mdns issues
• appid: move tls metadata handling into single place
• codecs: override default encode for ciscometadata codec
• control: fix heap-use-after-free in is_local
• decompress: add unit test for vba decompression - infinite loops, divide-by-zero, integer overflow and out-of-bound
• file_api: clear file meta group before setting it during reload
• flow: clear flow ref in pkt on stale flow cleanup
• helpers: add syscall to flush new data written by SigSafePrinter to disk
• http_inspect: partial inspection for headers
• http_inspect: publish OPPORTUNISTIC_TLS
• imap: abort fallback functionality
• mp_dbus: make MPDataBusModule stats thread safe
• protocols: add sanity checks for tcp and ipv4 options to prevent out-of-buffer access
• ssl: fix unit test for OpenSSL v3+
• watchdog: replace watchdog command with atomic kicking from packet threads

Dependencies:

• Libdaq v3.0.21
• LibML v2.0.0

Changes in this release since 3.9.2.0:

• appid: accounting for tmp offset in RPC
• appid: change appid_shadow_traffic_status to atomic for thread safety
• appid: combined host pattern matchers
• appid: fix ASAN issue in AppIdHttpSession::set_req_body_field
• appid: fix out-of-bounds caused by strncat in identify_user_agent
• appid: getting packet from event than from detectionengine
• appid: out-of-range readings fix
• appid: prevent out_of_range and invalid_argument in rpc
• appid: rpc integer overflow fix
• build: enable exporting compile commands
• dce_rpc: checked for integer overflow of smb_hdr + next_command_offset
• dce_rpc: checking integer overflow on data_offset + data_length
• detection: extract children-related evaluation logic into separated functions
• detection: extract current node evaluation logic into separated function
• detection: fix compile warnings in detection_options.cc
• file_api: multi-process snort file cache crash fix
• file_api: multi process snort file cache sharing crash fix
• helpers: ringLogic framework updated to use atomic than volatile
• http_inspect: add peg count for when published body has hit the requested max size
• iec104: fallback functionality for abort scenario
• logger: add batched logger to improve packet_tracer output performace
• logger: add cpu affinity for log writer thread
• main: notify DAQ via ioctl message when a packet is injected
• mime: fix out-of-bounds in case of short boundary chunks
• packet_tracer: file output will not be using batched logger
• service_inspectors: Added random base file id generation for imap/pop/smtp.
• smtp: fix overflow caused by tls data processing in smtp
• stream_tcp: add splitter restart function, restart when hole skipped by AtomSplitter
• stream_tcp: fix issues with skipping seglist holes in ids mode
• stream_tcp: when reassembly is disable/ignored update rcv_nxt to left edge of first hole or to end of seglist
• vba_decompress: avoiding heap buffer overflows
• vba_decompress: exception handled

Dependencies:

• Libdaq v3.0.20
• LibML v2.0.0

Changes in this release since 3.9.1.0:

• build: fix comparison of empty integers. Thanks to Hatix Ntsoa.
• cip: cip inspector fallback functionality
• extractor: modify JSON Formatter to improve performance
• file_api: multi instance snort related file cache sharing
• flow: watchdog kick in dump flow summary
• hash: ensure that find_else_create functions set is_new field in all cases
• hash: return cache size from remove so new size check can be atomic
• http_inspect: parameter name change from partial_depth to partial_depth_body
• http_param: clear body http_param after each flush
• main: do not start Analyzer if codec manager doesn't match any codec
• modbus: modbus paf abort
• stream_tcp: separate logs and counters for left and right invalid sequence numbers

Dependencies:

• Libdaq v3.0.20
• LibML v2.0.0
• If you are using rules from snort.org, please use latest Talos_lightSPD package from version 2025-06-05-001 onward (due to API bump in 3.9.0.0)

Changes in this release since 3.9.0.0:

• appid: appid_debug_test and critical log fix
• appid: broadcast command for third party tfini during tterm rather than doing it sequentially
• appid: differentiate between request and response DNS host
• appid: fixed APPID_LOG macro for correct usage of log_level
• appid: fixed stash issue by fixing publishing shadow traffic
• appid: fix tcp dns multiple transaction support
• appid: queue analyzer command for third party setup during appid id tinit and stagger packet threads during third party tinit
• appid: sync flow service with protocol based detection
• binder, flow, framework: add a facility to block binding based on a do_not_decrypt flow flag and inspector can_decrypt method
• build: address coverity warnings
• connectors: add buffered output to std_connector
• connectors: add redirect option to print to a file
• connectors: give name to flusher thread
• connectors: rebuild readers as they might be outdated at exit
• connectors: rename text log field
• connectors: set affinity for flusher thread
• dns: handle multi DNS transactions one TCP connection
• extractor: add context logging event for notice
• helpers: add 1-reader-1-writer ring buffer
• helpers: fix JSON stream flags after escaping
• http_inspect: add support for partial_depth configuration option
• main: clarify the DAQ verdict for inject
• mime: fix crash in folding right after colon
• mime: fix eol search and add unit tests
• mp_dbus: transfer ownership of MPDataBus to new config during reload
• mp_unix_transport: refactored socket reconnect
• mp_unix_transport: use shared mutex in message processing
• profiler: add note for total percentage for profiler_dump
• ssl: fix integer underflow in certificate parsing
• unixdomain_connector: explicit include of select.h