forked from arkime/arkime
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGELOG
1324 lines (1243 loc) · 61.6 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
NOTICE: Please see https://github.com/aol/moloch/wiki/FAQ#upgrading-moloch for upgrading info
ES Versions:
* Moloch >= 1.5.0 supports ES >= 5.5.0, 6.x, not 7.x or later
* Moloch >= 1.0.0 supports ES >= 5.5.0, 6.x (not prod tested, only for new installs), not 7.x or later
* Moloch >= 0.50.0 supports ES >= 5.5.0, not 6.x or later
* Moloch >= 0.18.1 supports ES 2.4.x, >= 5.3.1 not 6.x or later
Node Versions:
* Moloch >= 1.6.0 requires NodeJS 8.x of 8.12 or later
* Moloch >= 1.0.0 requires NodeJS 8.x
* Moloch >= 0.20.0 requires NodeJS 6.x
* Moloch >= 0.18.1 requires NodeJS 4.x
NOTICE: Restart wiseService before capture when upgrading
1.8.0 2019/03/XX
- NOTICE: This will be the last version to support ES 5
- all - support tokens for host.*/http.uri/http.useragent field
- viewer - should output csv with commas in fields correctly
- viewer - new Show Packets view in session detail
- capture - libfuzzer fixes
1.7.1 2019/02/14
- NOTICE: db.pl upgrade is required
- viewer - upgrade to d3 v5 for connections page
- viewer - typeahead history for spigraph/connections
- viewer - stats tasks page has a num item selector now
- viewer - welcome message for new users
- viewer - save the last time a user used moloch
- viewer - two --debug will display why proxying traffic
- viewer - connections now uses ipv6.port and ipv4:port
- viewer - fix date/time picker timezone and input bugs
- wise - support json paths
- wise - improve alienvault loading
- capture - more tcpflags fields can be matched with rules
- capture - print more stats at exit with --debug
- capture - fix small bpf memory leak
- capture - rules can support most .cnt fields
- capture - fix OBR if cert has no serial
- capture - libfuzzer support and initial fixes
- parliament - add no alert cluster type
- parliament - remove selected acknowledged issues
- parliment - add help page
1.7.0 2019/01/17
- NOTICE: db.pl upgrade is required
- release - node 8.15.0, cyberchef
- capture - new cert remainingDays field
- capture - new tcp initRTT field
- viewer - cron query notifications (issue #489)
- viewer - can't use es scroll api with "from" (issue #981)
- viewer - Export CSV uses the columns shown
- viewer - field history for search expression (issue #595)
- viewer - fix date/time picker not using user set timezone (issue #977)
- viewer - don’t display undefined or empty field values
- viewer - fix timezone parsing in session detail date field values
- viewer - show error if using an outdated browser (issue #980)
- viewer - export results intersection
- viewer - add clickable labels to the info column
- viewer - reset the width of the session table columns when switching back to the default
- parliament - search and page results on the issues page (issues #982 and #983)
- parliament - add a length of time threshold for “low packets” issues (issue #968)
- capture - Fixed corrupt file sequence numbers being used when
when ES is under heavy load
- capture - Fix importing more then 256 files at once not working correctly (issue #984)
- all - communityId support for tcp/udp (issue #966)
- capture - In live capture clean up sessions even if no packets are being received
- db - improve expire efficiency
- capture - fix elasticsearch classifier
- capture - for offline pcap honor umask when --copy is used (issue #976)
- viewer - Fix some rXSS, thanks Esben Sparre Andreasen of Semmle Security Research Team
1.6.2 2018/12/07
- NOTICE: db.pl upgrade is required
- suricata - fix crash when signature name > 128 characters long
- suricata - fix severity parsing (again)
- capture - fix possible crash when exporting invalid utf8
- db - support new --shardsPerNode option
- viewer - don't issue search when closing the date/time pickers
- viewer - download packets src/dst bytes img
- viewer - option to show timezone with every timestamp
- viewer - added new user permissions (hideStats, hideFiles, hidePcap, and disablePcapDownload)
- parliament - add option to provide link to dashboard in alert notifications
- viewer - configure connection node/link popup data
- release - build snf plugin with screwdriver
- capture - fix tls parser inifite loop
- viewer - can customize fields in the info column
- viewer - new es recovery tab
- viewer - stats page shows when data is being loaded from server
1.6.1 2018/11/06
- NOTICE: db.pl upgrade is required
- capture - ja3s support (issue #949)
- capture - hassh support (issue #950)
- capture - simpleKEKId can be a template
- all - Certificate org names can be an array now
- wise - reverse dns supports servers setting
- all - new written/unwritten stats to see how much Moloch has written or
not written to disk
- all - don't index packet positions or packet lengths in ES
1.6.0 2018/10/29
- NOTICE: db.pl upgrade is required
- release - glib 2.56.2, yara 3.8.1, curl 7.61.1, lua 3.3.5, node 8.12.0
- db - expire checks min lastPacket in each session2 like curator, not just
based on name
- wise - support any field for ES WISE source
- viewer - packet search (hunt)
- viewer - admins can see forced expression for users in history
- viewer - option to add sessions table column configuration to a view
- viewer - files and stats tables can be customized
- suricata - parse severity
- capture - new _dontCheckYara rule ops
- parliament - add --debug option
- parliament - add --dasboardOnly flag
- capture - set vlan field for afpacket
- capture - new setting parseHTTPRequestHeaderAll, which will parse ALL request
headers not already parsed into 1 ES field (pr #914)
- capture - new setting parseHTTPResponseHeaderAll, which will parse ALL response
headers not already parsed into 1 ES field (pr #914)
- capture - new setting parseSMTPHeaderAll, which will parse ALL email headers
not already parsed into 1 ES field (pr #914)
- capture - new setting parseDNSRecordAll, which will parse a full DNS record
into multiple new ES fields (pr #914)
- viewer - show shortcuts on shift
- capture - initial gtp tunnel support (issue #926)
- wise - new wiseLogEvery to control how often plugin logs (0 disables)
- capture - experimental autoGenerateId config to use ES auto generated ids
- viewer - Ability to download files based on hash (pr #927)
- viewer - Can resize/save columns (issue #909)
- multiviewer - Can save user settings and such (pr #935)
- viewer - Can share views with all other users
- db.pl - New backup/restore commands, saves everything but sessions
1.5.3 2018/09/10
- release - libpcap 1.9.0
- all - new hourly[2348]/hourly12 rotateIndex
- all - deal with talking to multiple wise servers better
- all - --insecure option
- all - use package-lock.json so all builds use the same packages
- viewer - fix some spiview display issues (dns ip, email headers)
- viewer - fix upload command tags (issue #888)
- viewer - aes-256-ctr: fix issues decoding larger files
- viewer - set rejectUnauthorized for ES connections (issue #894)
- viewer - fix some payloads not displaying for css reasons
- viewer - added zoom buttons to connections
- viewer - keyboard shortcuts
- capture - require gnu99 supporting compiler
- capture - if single tcp data packet left at save time, try and classify it (issue #880)
- capture - for live captures prevent out of order stats records
- capture - aes-256-ctr: iv is 12B, limit maxFileSizeG to 64G, dek is more random
- capture - Added corrupt setting to saveUnknownPackets
- capture - new -o option to override config file from command line
- capture - trim leading/trailing whitespace from config options
- capture - new --nostats option to stop stats from being sent to ES
- capture - fix http socket leak on errors
- capture - new -F option to specify files that contain a list of pcap files to process
- capture - new --reprocess option that won't create a new file entry (but
will duplicate SPI data)
- capture - add IPPORT_DROPPED count to stats log
- capture - fix some possible bad memory reads in oracle/radius/http parsers
- capture - fix some possible integer overflow issues
- capture - fix tcp sequence number issues
- parliament - uses Vue now
- parliament - support email alerts
- parliament - new edit slider to show edit buttons
- parliament - many improvements how issues work
1.5.2 2018/07/26
- capture - new custom-fields section
- viewer - new custom-views section
- capture - fix for inplace pcap ingestion not displaying pcap in viewer, introduced in 1.5.0
- capture - support QUIC version >= 40
- release - Build Ubuntu 18.04 version
- wise - fixed sources that didn't register at startup
1.5.1 2018/07/23
- capture - fix ipv6 sctp hang
- viewer - added back many tooltips
- viewer - fix crash when node doesn't exist
- viewer - fixed some fields not showing up
- snf - new config snfFlags
- viewer - fix sorting by a column that isn't in all indices
- capture - memory leak fix
- suricata - keep alerts for suricataExpireMinutes setting
1.5.0 2018/07/16
- BREAKING: wiseCache redis name changes
- viewer - sessions, spiview, spigraph, connections, help, users, history pages implemented
in Vue instead of AngularJS
- viewer - split stats capture graphs/stats into 2 tabs
- viewer - stats now has sort option
- capture - new maxTcpOutOfOrderPackets setting, default 256
- capture - drophash supports v6 and saving
- wise - support talking to wise over https, use wiseURL
- capture - basic mqtt parsing
- capture - rules reload without restarting
- viewer/db - new hide-node/unhide-node commands to hide commands in capture stats
- viewer - New queryAllIndices
- multiviewer - no longer need to have the same rotateIndex everywhere
- capture - initial saveUnknownPackets support
- capture - new interfaceOps for ops per interface
- capture - new filenameOps for ops per filename (issue #857)
- s3 - use 1.0 field names
- viewer - fix a case when decoding failed
- all - ESP now has first packet capture if trackESP is set
- capture - magicMode remove molochmagic and added both mode
- wise - initial splunk source
- capture - new suricata plugin
- wise - [right-click] with no colon now loads directly from wise.ini
- capture - decode dns punycode into dns.host, dns.puny has original
- capture - yaraEveryPacket (default true) when false only does first packets
- capture - yaraFastMode (default true) when false turns off fast mode
- viewer - switch to javascript png implementation
- all - added some GRE erspan support
- viewer - support gt/lt queries for ip
- capture/wise - can now configure what fields map to what wise queries and
send almost any field (issue #840)
- all - added used space stat
- all - changed free space stat to use 1000 based units
- viewer - removed AngularJS, all pages implemented in Vue
- capture - hsrp classify
1.1.1 2018/05/31
- all - fix http.statuscode
- capture - fix _dropByDst/_dropBySrc crash
- capture - tcpflag are always counted (issue #849)
- viewer - fix 10k sessions.json failure
1.1.0 2018/04/30
- all - basic sctp capturing, no decoding (issue #828)
- all - intial unencrypted 802.11 Data Frame support (issue #834)
- db - new segments option to expire and optimize
- release - curl, node, cyberchef
- viewer - http.uri and host* allows pasting a URL and doing the right thing (pull #831)
- capture - New logHTTPConnections setting (pull #749)
- capture - new wiseExcludeDomains setting, used before sending to wiseService (issue #340)
defaults to ".in-addr.arpa;.ip6.arpa"
- wise - full ipv6 support
- capture - basic sccp classify
- all - initial frame relay support (issue #838)
- all - initial 4 over 6 and 6 over 4 support
- viewer - support fields=id for sessions.csv (issue #839)
- reindex2 - added --pause option
- viewer - more stats page fixes
1.0.0 2018/04/05
- db - always update stats/dstats indices for now
- parliament - fix es drop error msg
- tests - make server everything has started before running tests
1.0.0-rc2 2018/03/29
- viewer - Change default spiDataMaxIndices to 4 everywhere
- viewer - work around for ES 6 issue https://github.com/elastic/elasticsearch/issues/27740
- capture - fixed netflow plugin
- tests - initial parliament tests
1.0.0-rc1 2018/03/20
- viewer - minor stats page fixes
- release - new top level package.json/node_modules to make package smaller
1.0.0-beta3 2018/03/15
- viewer - stats page implemented in Vue instead of Angular
- capture - some code clean and better thread safe counters
- viewer - convert field names in saved column sets from pre 1.0
1.0.0-beta2 2018/03/08
- capture - decode some dhcp
- capture - tag a tls session with cert:self-signed
- capture - reload geo, rir, yara and oui files without restarting (issue #692)
- capture - remove yara 1.x support
- viewer - cron jobs now use the timestamp time and not last packet time when choosing sessions to look at
this means delay is shorter, although when upgrading to 1.0 some sessions will be not looked at.
1.0.0-beta1 2018/02/20
- capture - calculate sha256 too (set supportSha256 tru)
- wise - support sha256 lookups
- capture - fix disable fields
- capture - src/dst ip/port can be used to trigger rules now
- capture - ip fields in rules can now be CIDR
- capture - simple writer now flushes after 10 seconds of no writting
there still can be pagesize bytes unwritten (issue #777)
1.0.0-alpha2 2018/01/31
- Read alpha1 below
- release - correct geo files
- capture - set default geo file path
1.0.0-alpha1 2018/01/26
- NOTICE: Supported ES Versions: 5.6.x, 6.x (for new installs)
- NOTICE: hasheader for email/http for old sessions will not be migrated
- all - rename all field names
- all - no more analyzed ES fields, everything is a keyword field
- all - full ipv6 support
- all - tags index removed, tags/hasheader stored as first class fields
- all - new reindex2 script to move from pre 1.0 to 1.0
- capture - http uri field no longer starts with // (issue #732)
- capture - use maxminddb instead of geoip now (issue #771)
- all - Country codes are now 2 letters instead of 3 letters
- release - node 8.9.4
0.50.1 2018/03/29
- NOTICE: Supported ES Versions: >= 5.5.0, 6.x is NOT supported
- release - upgrade curl, yara, glib
- viewer - sessions.csv handle multiple fields parameters
- parliament - better dismissing
- all - new hourly6 rotateIndex, for every 6 hours
- parliament - first version of alerts
- parliament - rename server.js to parliament.js
- wise - trim spaces after spliting config values
- capture - better pop3 detection
- capture - correctly lowercase user
- release - added --install to easybutton (issue #812)
- capture - basic memcache classify
- viewer - disable TLS 1.0
- viewer - ES scrolling should be much faster
0.50.0 2018/01/24
- NOTICE: Supported ES Versions: >= 5.5.0, 6.x is NOT supported
- viewer - Fixed CSV export of fields within objects (issue #790)
- capture - Retry http requests on connect failures
- capture - better SLL pcap support (issue #791)
- capture - icmp code and type were swapped
- viewer - shards tab can now exclude/include nodes/ips to move shards around
- capture - removed ES check for http.compression since on default in ES 5
- capture - clean up sockets better
- db.pl - now default to a max of 24 shards
- parliament - initial display of detected issues
- parliament - move all calls behind /parliament to make easier to reverse proxy
- viewer - users forceExpression handles special characters correctly again
0.20.2 2018/01/04
- NOTICE: Supported ES Versions: 2.4.x, > 5.3.1, 6.x is NOT supported
- viewer - upgrade elasticsearch-js
- capture - new --host commandline option to specify how viewers should talk to host
- capture - added classify: dhcp, dhcpv6, splunk, isakmp, aruba-papi
- capture - improved classify: bitcoin, ntp, ssdp
- capture - index first N (default 256) bytes of post bodies, controlled by maxReqBody setting
- capture - more stats on packet processing/failures
- viewer - cleanup sessionErro
- viewer - remove dead code
- tests - more viewer tests
- viewer - upgrade Cyberchef to 6.8.0
- capture - basic mpls stripping (issue #779)
- viewer - start of esshards tab in stats
- parliament - first version (can install with Configure --parliament)
- wise - can now install with Configure --wise
- release - node 6.12.3
0.20.1 2017/11/06
- NOTICE: Supported ES Versions: 2.4.x, 5.1.2, 5.2.x, > 5.3.1, 5.4.x, 5.5.x, 5.6.x
- viewer - graph hover now respects timezone setting (issue #757)
- capture - decode icmp type/code (issue #751)
- viewer - upgrade Cyberchef to 6.4.5
- viewer - es indices tab (#761)
- viewer - es tasks tab (#763)
- capture - ssh parser crash fixed (introduced in 0.20.0)
0.20.0 2017/10/31
- NOTICE: Supported ES Versions: 2.4.x, 5.1.2, 5.2.x, > 5.3.1, 5.4.x, 5.5.x, 5.6.x
- NOTICE: db.pl upgrade is required
- capture - added --packetcnt from @jmd1212
- capture - handle monitor directory being empty
- capture - basic fbzero parser as quic
- capture - pjl, dcerpc detection
- release - on ubuntu, plugins weren't loading dependencies correctly
- viewer - made number of packets displayed setting accurate
- release - move node install from release to easybutton (issue #720)
- release - install ES 5
- capture - initial SMTP BDAT support
- viewer - initial history support
- capture - new advanced setting maxMemPercentage that will abort capture if reached
- capture - basic rip, nzsql detection
- capture - improved quic, mysql detection
- capture - plugins can now replace how SPI data is sent to ES
- viewer - fixed right client menu not working (issue #740)
- viewer - add/remove tags update tag count (PR #756)
- viewer - support sessions resize better
- release - use screwdriver to build and test
- release - upgrade node version
- viewer - fix EXISTS! being reformatted (issue #747)
- viewer - Don't allow * by itself in expressions anymore, must use EXISTS!
- viewer - removed babel, newer browsers required
0.19.2 2017/08/25
- NOTICE: Supported ES Versions: 2.4.x, 5.1.2, 5.2.x, > 5.3.1, 5.4.x, 5.5.x, 5.6.x
- NOTICE: Requires wiseService upgrade if using wise
- capture - ja3 support (https://github.com/salesforce/ja3/) (issue #706)
- viewer - spi view column sets (issue #713)
- viewer - remove jade dependency since using pug now
- release - node 6.x
- viewer - fix world map button (issue #724)
- tests - viewer tests are updated and all passing again
- viewer - most session detail labels now have menus (issue #723)
- s3 - fixed deadlock (issue #716)
- wise - only allow 4096 waiting sessions
- viewer - add top 10 countries to map (#564)
- viewer - type ahead improvements, disable by default for multiviewer
- snf - fix build (issue #719)
- viewer - abbreviate large units for data bytes (issue #680)
- viewer - add href to nav tab links (issue #651)
- viewer - save spiview fields (issue #715)
- easybutton - Upgrade yara, glib, curl versions
- viewer - session columns are resizeable (issue #676)
- wise - ja3 support
- capture - fixed capture crash when wiseService is restarted
- release - build a better NOTICE file for binary releases
- wise - don't crash on "null" json values
- viewer - decode Basic auth values
- viewer - ES scrolling should work better
0.19.1 2017/07/13
- NOTICE: Supported ES Versions: 2.4.x, 5.1.2, 5.2.x, > 5.3.1, 5.4.x
- viewer - stats bytes human readable format
- capture - fix wise plugin crash
- viewer - handle corrupt theme
- capture - fix quic parser crash
- release - libyaml as a dependency
0.19.0 2017/07/11
- NOTICE: Supported ES Versions: 2.4.x, 5.1.2, 5.2.x, > 5.3.1, 5.4.x
- viewer - remove old UI
- viewer - CyberChef integration (must always add hex decoding)
- viewer - spigraph sort and refreshing improvements
- viewer - spiview fixed unique malform url
- viewer - stats allow comma separated list
- capture - rulesFiles and rules support
- capture - fixed daq building
- viewer - ES scrolling didn't work (issue #697)
- easybutton - Upgrade yara, glib, geoip, curl versions
- capture - fixed writer crash with --copy (issue #711)
- viewer - lots of stats tab fixes (issue #629,#655)
- viewer - setting for query on page load (issue #599)
- viewer - don't sort unsortable columns (issue #593)
- viewer - clipboard fixes (issue #707)
0.18.3 2017/05/25
- NOTICE: Supported ES Versions: 2.4.x, 5.1.2, 5.2.x, > 5.3.1, 5.4.x
- viewer - Other decodings (issues #684, #670)
- viewer - Text lineup (issue #598)
- wise - track average running time
- viewer - session graph uses timezone setting
- viewer - fixed cron query creation with forwarding failures
- viewer - new serverSecret instead of passwordSecret for S2S
- viewer - csv export uses visible columns in session table (issue #601)
- viewer - stats page improvements (issue #682)
- viewer - do a better job on quoting expressions (issue #694)
- viewer - remove duplicate TLS section
- viewer - back button works better with new UI
- viewer - fixed connections query size (issue #685)
- viewer - Real SPA (issue #664)
- viewer - Align email header (issue #690)
- viewer - Fixed email query generation (issue #689)
- viewer - spigraph copy/paste (issue #646)
- db - handle _optimize vs _forcemerge
0.18.2 2017/04/16
- NOTICE: Supported ES Versions: 2.4.x, 5.1.2, 5.2.x, > 5.3.1, 5.4.x
- capture - New snapLen variable, by default 16384
- release - Configure improvements
- release - ethtool startup commands moved to moloch_config_interfaces.sh
- viewer - custom themes
- viewer - fix clickable session field off-focusing too easily
- viewer - can cancel spiview loads (issue #637)
- viewer - expose session length in pagination select box (issue #677)
- viewer - fix spiview not updating (issue #656)
- viewer - type ahead fixes/dismiss (issue #591)
- viewer - apply search expression to url (issue #649)
- viewer - display array values in sessions correctly (issue #625)
- viewer - fix broken node display in stats (issue #672)
- viewer - permalink fixes (issue #673)
- viewer - spigraph field typeahead fixes (issues #647)
- viewer - connections field typeahead fixes (issues #675)
- viewer - display when packets are rendering
- viewer - make sorting icons consistent
- viewer - connections tab links are rendered correctly (issue #641)
- viewer - make sure connections popup renders inside view (issue #644)
- capture - support ES basic auth (issue #679)
- release - Configure supports multiple interfaces
- release - only use systemd files if systemctl and /etc/systemd exists
0.18.1 2017/03/28
- NOTICE: Supported ES Versions: 2.4.x, 5.1.2, 5.2.x (5.3.0 is NOT supported)
- release - node 4.8.1, lua 5.3.4, curl 7.53.1, glib2 2.52.0
- capture - handle certs with after dates before the before date
- capture - actually truncate urls, previous fix didn't work (issue #458, #667)
- capture - handle certs with pre epoch times
- capture - more magicMode basic detections
- db - Handle timeouts and nodeNames better with upgrading from db version 30 to 34
- capture - fix race condition when quiting and processing unsaved sessions
0.18.0 2017/03/21
- NOTICE: Upgrading to 0.18 requires an outage for db.pl upgrade (~5 min)
- NOTICE: Must upgrade wiseService BEFORE upgrading moloch-capture.
New 0.18.0 wiseService can be used with older moloch-capture.
- NOTICE: db.pl upgrade REQUIRES *ALL* moloch-capture to be down
- NOTICE: Supported ES Versions: 2.4.x, 5.1.2, 5.2.x (5.3.0 is NOT supported)
ES 5 users READ: https://github.com/aol/moloch/wiki/FAQ#how-do-i-upgrade-to-es-5x
- NOTICE: 0.18.0 has a new look and feel. Some features have been added, removed,
or temporarily are missing. Feedback using slack or github issues welcome.
- wise - md5 lookups now associated with contentType
- wise - virustotal support
- capture - contentType now sent to wise for md5 lookups
- db - all indices except sessions-* are reindex for ES5 support
- capture - all readers must use batch interface
- multi - fixed tags for new ui /detail and added tests
- viewer - files tab uses new ui
- viewer - users tab uses new ui
- viewer - stats tab uses new ui (/stats.old available temporarily)
- viewer - sessions tab uses new ui (/sessions.old available temporarily)
- viewer - newUI setting removed
- viewer - spiview tab uses new ui (/spiview.old available temporarily)
- viewer - connections tab uses new ui (/connections.old available temporarily)
- capture - pcapWriteMethod=simple-nodirect uses the simple writer without direct
writes. Required for some file systems like zfs
- viewer - spigraph tab uses new ui (/spigraph.old available temporarily)
- capture - tpacketv3 handles multiple interfaces correctly (issue #658)
- easybutton - singlehost and config removed, build remains for now
make install & make config should work
- capture -
0.17.1 2017/01/30
- NOTICE: ES 2.4 or ES 5.1.2 required (ES 5.x isn't recommended for production yet)
ES 5 users READ: https://github.com/aol/moloch/wiki/FAQ#how-do-i-upgrade-to-es-5x
- NOTICE: Can only update directly from Moloch 0.11.1 or later
- capture - handle missing syn/ack better
- capture - better mongo detection
- db - dstats_2 and stats_v1 now use date for time for kibana support, also prepares for ES 5 upgrade
- capture - some arm64 fixes (issue #584)
- viewer - new settings page
- capture - tpacketv3 no longer requires a bpf
- capture - pfring uses batch packet api
- capture - fix libpcap multiple interface crash (issue #610)
- release - Configure improvements
0.17.0 2017/01/05
- NOTICE: npm update required
- NOTICE: ES 2.4.x required
- NOTICE: Last version that can be updated directly from Moloch 0.11.0 or earlier
- viewer - New sessions UI (newUI=true)
- all - Initial ES 5.0 support (do not use in production!)
- all - Refactor many ES calls to remove depreciated syntax
- viewer - Handle multiple query parameters better
- WISE - basic elasticsearch source
- all - Initial pcap encoding support, variables
* simpleEncoding: aes-256-ctr or xor-2048
* simpleKEKId - The kek id to use from the keks section
* [keks] - A section with multipl kekid=passwords
- capture - Fixed yara 1.7 multithread crash (issue #568)
- capture - Handle frag gre with frag ip inside
- viewer - New Help UI (based on new ui)
- viewer - New bounding select box
- viewer - Fix clicking map not applying query expression
- db - New sync-files which does both add/rm missing faster
- viewer - Add column menus
- viewer - Fix reordering columns
- viewer - Fix unnecessary whitespace when copying values from session table
- viewer - Add IP:Port option to field menus
- viewer - Permalink adds "openAll=1" parameter
- capture - mysql tls parser
- capture - llmnr and mdns
- capture - version command line option prints library versions too
- release - GeoIP 1.6.9, curl 7.52.1, pcap 1.8.1, glib 2.50.2, node 4.6.2
- capture - Use inotify directly since glib2 monitor doesn't expose close write
- capture - support yara 3.5 (issue #521)
- capture - new --op option to set any field (issue #412)
- capture - added dontSaveSPI=1 support to tagger/wise to not save SPI data (issue #505)
- capture - basic kafka, dropbox-lan-sync detection
- capture - new scrubspi plugin
- viewer - Apply user setting timezone
- viewer - Add "EXISTS!" to search expression typeahead results
- viewer - split session spi data and pcap loading into two apis
0.16.1 2016/11/28
- NOTICE: db.pl upgrade is required
- capture - out-of-order and acked-unseen-segment tags
- capture - initial pppoe support (issue #536)
- capture - new timestamp field when record written
- db - new duplicate firstPacket, lastPacket, ipSrc, ipDst, portSrc, portSrc to
make Kibana work better with moloch data.
- db - fix info command
- viewer - don't crash if we can't decode, still might not decode well though (issue #522)
- wise - threatstream sql capture importId and handle stripping hostname for lookups
- capture - new pcapReadMethod of tpacketv3 on linux
- capture - new option magicMode: libmagic, libmagicnotext, molochmagic, basic, none
- capture - The tpacketv3, libpcap* pcapReadMethod now batch packets before adding
to packet queues to reduce mutex lock contention
- wise - Support dos format tagger files
- capture - basic tacacs, flash-policy detection
0.16.0 2016/10/14
- NOTICE: Requires node v4.x (development done with v4.6.0). If upgrading, remove the
node_modules and run "npm install" in viewer and wiseService directory
- viewer - upgrade many packages
- wise - upgrade many packages
- easybutton - download prebuilt node 4.6.0
- capture - set accept-encoding for all requests (issue #542)
- capture - simple oracle parser
- viewer - cron jobs should work much better, unfortunately the delay (~11min)
before items are processed is longer (issue #546)
- capture - http passer now tags passwd= and pass= as http:password
- capture - running on ipv6 improvements (issue #545)
- capture - 0.15.1 broke antiSynDrop=false, now works again
- viewer - supports multiple --debug on command line to up level
- release - supports systemd and lua plugin, slightly more user friendly
0.15.1 2016/10/05
- NOTICE: Last version to support node 0.10
- release - build pfring, daq, snf plugins
- wise - threatstream zip method broke in 0.15 (issue #534)
- wise - support url type
- viewer - read cert/key before dropping permissions (issue #504)
- all - tcpflag counting (issue #506)
0.15.0 2016/09/14
- NOTICE: Requires ES 2.1 or later (recommend 2.4)
- NOTICE: See https://github.com/aol/moloch/wiki/FAQ#How_do_I_upgrade_to_ES_2x_from_ES_1x
to learn how to upgrade to ES 2 - db.pl upgrade is only required if going to ES 2 and
should be run BEFORE upgrading.
- capture - basic flap detection
- db.pl - fixed hourly expiration (issue #501)
- capture - detect tcp syslog, udp sip, tcp nsclient
- capture - handle syn/ack before or with no syn
- capture - support classifiers based on port
- capture - detect zabbix
- viewer - fixed missing stats data (issue #502)
- wise - optionally use external cache (issue #495)
- wise - threatstream can now use the opticlink db directly!
- capture - also record stats every 10 minutes
- viewer - stats can now show 5, 60, 10 minute stats
- viewer - make sure userNameHeader is set before trying to use, and warn if viewHost is not localhost
- viewer - better ipv6 header decoding
- capture - fixed multithread compressES=true crash (issue #524)
- capture - Myricom snf reader plugin support
- easybutton - ES 2.4.0
0.14.2 2016/07/06
- NOTICE: 0.14.x will be the last version to support ES 1.x and ES 2.0
- NOTICE: See https://github.com/aol/moloch/wiki/FAQ#How_do_I_upgrade_to_ES_2x_from_ES_1x
to learn how to upgrade to ES 2 - db.pl upgrade is only required if going to ES 2 and
should be run BEFORE upgrading.
- viewer - limit autocomplete indexes searched (issue #479)
- db.pl - support setting shards and replicas for sessions
- capture - simple tds5 parser
- capture - simple krb5 parser
- capture - fix pfring stats (issue #488)
- db.pl - new "add-missing" command, used if ES files table gets messed up (doesn't reindex)
- capture - throttle when reading offline pcap before overflowing packet queues
- capture - aerospike protocol detection
- capture - cassandra protocol detection
- viewer - spiview now sorts better when session vs packets is used
- capture - minPacketsSaveBPFs which skips saving SPI data for matching sessions,
useful for known internal scanning hosts
- wise - threatstream includes source now (issue #491)
- capture - simple quic parser
- capture - pcapDirTemplate for directory naming inside pcapDir
supports strftime sequences using local time (issue #496)
- capture - more dns parsing
- capture - basic ntp detection
- capture - basic snmp detection
- capture - basic syslog detection
- capture - fixed thread waiting so not a busy wait (lower CPU)
- capture - basic stun detection
0.14.1 2016/06/02
- NOTICE: glib 2.40 required (should be using 2.47 or higher)
- capture - initial lua scripting support
- wise - initial bro quering support
- capture - debug all config requests with --debug
- viewer - fixed XSS (issue #471)
- capture - simple ldap parser
- capture - simple radius parser
- easybutton - ES 2.3.3, run ES as daemon, new config
- capture - new db field tags-term with tags in text format
- capture - fixed FPE crash in stats (issue #475)
- capture - calculate jsonSize better (issue #476)
- capture - basic thrift detection
- wise - new json format for file/url file types
- wise - passivetotal tagging support
- wise - new source that proxies to another wise
- all - support https elasticsearch
0.14.0 2016/05/08
- NOTICE: libnids is no longer required
- NOTICE: You'll want to rerun configure if using the same build directory
- NOTICE: db.pl upgrade is required
- NOTICE: ipv6 support is experimental, and will change with ES 5.0
- capture - replace libnids with internal tcp
- capture - basic threads
- capture - memory reporting on linux uses /proc/self/statm now
- capture - more stats
- capture - basic ipv6
- viewer - Columns can be hidden/moved on stats, sessions pages
- capture - pfring and daq support are now plugins (capture/plugins)
- capture - can monitor multiple interfaces
- capture - udp can parse all packets in session now
- dns - now parses all requests/responses
- dns - parse multi packet tcp requests
- capture - gre support
- all - memory/free space percentage (issue #164)
- addUser - New option --webauthonly
- capture - Added readTruncatedPackets config option
- capture - truncate urls at 4096 bytes and mid save sessions with large fields (issue #458)
- capture - warn if hostname isn't a FQDN (issue #459)
- capture - fix memory leak in ES writing
- viewer - Total/Average stats are of filtered data
- capture - use getdomainname to try and form FQDN
- easybutton - node 0.10.45
0.12.3 2016/03/28
- NOTICE: Only ES 1.7.x and ES 2.x is supported by this version.
- NOTICE: Requires running npm update
- NOTICE: See https://github.com/aol/moloch/wiki/FAQ#How_do_I_upgrade_to_ES_2x_from_ES_1x
to learn how to upgrade to ES 2 - db.pl upgrade is only required if going to ES 2 and
should be run BEFORE upgrading.
- all - added support for ES 2
- viewer - upgraded to express 4
- viewer - ES load is now a single number to support ES 2
- db.pl - fixed _upgrade call, needed to be POST
- tests - http.referer tests
- capture - smtp now handles no space for mail from, rcpt to (issue #442)
- capture - basic jabber/sip protocol detection
- capture - http:password set for case insensitve password= now
- capture - rdp "Cookie" if present is stored in user field
- viewer - support auto complete on all fields (experimental)
- capture - fix for tagger.so crash on XFF fields introduced in 0.12.2
- easybutton - node 0.10.43, libpcap 1.7.3
- easybutton - disable bluetooth in libpcap (issue #445)
0.12.2 2016/01/15
- NOTICE: Only ES 1.[67].x is supported by this version.
- capture - basic redis detection
- viewer - connections node distance (issue #428)
- easybutton - glib 2.47.4 (issue #423)
- easybutton - disable usb support for libpcap (issue #426)
- viewer - connections highlighting (issue #431)
- capture - basic mongo detection
- viewer - added Export Unique IP:Ports
- capture - switched memory reporting to even more accurate statm on linux
0.12.1 2015/11/10
- capture - fixed startup glib error
- configure - fixed version number
- easybutton - ES 1.7.3
0.12.0 2015/11/09
- NOTICE: libcurl (>= 7.21.7) is now required, sorry
- NOTICE: db.pl upgrade is required
- NOTICE: duplicate items in available both in tags and elsewhere have been
removed from tags for future data
- capture - http module rewritten to use libcurl, woot!
- capture/s3 - S3 traffic now sent over https
- viewer - upgraded to DataTables 1.10.7 (issue #379)
- viewer - add search to files tab (issue #70)
- viewer - handle older indexes without bytes/databytes/packets
per src/dst (issue #396)
- viewer - upgrade D3 to 3.5.5 and switch to min version
- viewer - upgrade jquery to 2.1.4
- db - New rm-node command to delete from ES nodes that are no longer active
- capture - cert.hash is sha1 hash for SSL certificate (issue #388)
- viewer - New snapto time search that uses current query result for future
queries (issue #398)
- capture - Removed most tags items
- viewer - Delta Time display (issue #398)
- capture - pcapWriteMethod defaults to thread-direct now
- viewer - freeSpaceG defaults to 5% now
- viewer - 404 page and status code logged (issue #397)
- easybutton - ES 1.6.2
- easybutton - build curl with --without-librtmp (issue #403)
- easybutton - mirror sourceforge downloads for now (issue #406)
- db - Increased optimize timeout
- db - Require 1.4.x or later
- db - Removed "index.codec.bloom.load=false"
- db - Added warning for ES below 1.6.2
- wise - use native hashtable, required for threatstream
- viewer - fixed addTags to work with session that have no tags
- capture - fixed multiple smtp, smb and ssh buffer overflow read/writes (reported by jbremer)
- viewer - fixed multiple XSS injections (reported by jbremer)
- viewer - fixed crash when viewing large mime messages
- capture - irc detection improvement
- capture - --quiet flag (issue #427)
0.11.5 2015/06/02
- NOTICE: Only ES 1.[45].x is supported by this version.
Restart viewer AFTER upgrading ES versions
- NOTICE: If using multies all viewers must be upgraded at once
- NOTICE: Requires running npm update
- capture - http logs connecting time
- capture - fix http crash issue
- capture - compiles on OSX again
- capture - only classify initial udp traffic, performance increase
- tests - new spigraph tests
- tests - many new multi tests
- viewer - switched from ES facets to ES aggregations
- viewer - maps support src vs dst now
- multi - fixed hasheader/tag support
- easybutton - ES 1.5.2, node 0.10.38
- viewer - Fixed incorrect expression for http.cookie.key
- viewer - Added --debug to viewer
- viewer - Only keep 10 files on expire instead of 100, delete up to 200 at a time
- viewer - Switched hacking viewer
- viewer - Decoding is now handled with node streams which will allow
chaining and plugin decoders eventually - npm update required
- capture - Added cookie value parsing, default off controled by
parseCookieValue (issue #371)
- viewer - EXISTS! fixes, tests, and docs (issue #367)
- viewer - Reuse Uncompress and Files settings between sessions
- viewer - Anonymous users still have a singled saved settings
- viewer - Switch actions/views menu to jquery-ContextMenu which looks more like a menu
- capture - Handle ASCII formated SMB strings
- capture - payload8 wasn't always all 8 bytes
- viewer - Initial configration of displayed columns (issue #257)
- capture - reenabled ftp/lmtp classify
- capture - vnc classify (issue #382)
- capture - fixed tcp_flags for netflow (pr #386)
- viewer - spiview shows protocols per category (issue #385)
- viewer - spiview supports filename (issue #389)
0.11.4 2015/04/08
- NOTICE: db.pl upgrade is required
- NOTICE: Only ES 1.4.x is supported by this version.
ES 1.[23] may still work
Restart viewer AFTER upgrading ES versions
- http connection handling rework, hopefully better
- moloch-capture will no longer monitor itself even if it uses the same interface to talk to ES
- now save packet lengths to ES
- writing pcap to disk is now pluggable
- S3 is the first pcap writer plugin, currently experimental
https://github.com/aol/moloch/wiki/S3
- multies supports file query
- maxFileSizeG can now be a float
- Configurable right click actions on various data types
https://github.com/aol/moloch/wiki/Settings#rightclick
- Upgraded jQuery-contextMenu
- WISE - url source supports headers (issue #346)
- easybutton installs node 0.10.37, libpcap 1.7.2, and ES 1.4.4 now
- connections.csv returns session count (issue #356)
- Expose the id/rootId in SPI Meta (issue #355)
- WISE - right click loading from files
- spiview improvements - collapsible sections, sorting,
right click to set load on default (issue #360)
- db.pl for ES >= 1.4 now issues _upgrade on optimize/expire
- WISE - configurable reversedns stripDomains (issue #365)
0.11.3 2015/02/26
- NOTICE: Only 1.[234].x are supported by this version.
Restart viewer AFTER upgrading ES versions
- NOTICE: Requires running npm update for ES 1.3 and moment support
- NOTICE: Requires running db.pl host:port upgrade
- For NEW installs can now set a prefix= config variable and
db.pl --prefix option that will prefix all ES tables. This makes
it easier for Moloch to share ES with other services OR multiple
Moloch clusters can use 1 ES cluster with different prefixes.
- New usersElasticsearch= and usersPrefix= config that make it possible
for multiple Moloch clusters to share a single users table.
- viewer: removal of pre 1.2 ES things
- Some cron efficiency improvements
- Check more often if files need to be expired
- More SMB1 parsing
- More TLS ciphers
- Major viewer test suite restructure and improvements
- Handle searching for ip 255.255.255.255 (issue #301)
- Fixed RangeError (issue #299)
- CronQuery changes to split up multi day queries
- Fixed viewer crashes in pristine state (#304)
- Added MultiES and fress install test cases
- HTTP Authorization parsing (http.authtype, http.user)
- Moved HTTP URI parsing from message complete to headers complete
- Better Socks4 support
- Updated easybutton versions of glib, es, node, geoip
- New data feed framework, WISE - https://github.com/aol/moloch/wiki/WISE
- http LOG message has total time now
- netflow plugin sends flows for both directions
- netflow plugin more time fixes
- WISE - threatq support
- WISE - reversedns support (issue #217)
- WISE - CIDR support (issue #312)
- WISE - filtering (issue #314)
- WISE - AlienVault support
- MultiES fixes with tags search
- Start of viewer plugins, set with viewerPlugins
- WISE - views now downloaded from wiseService
- Requires viewerPlugins=wise.js in ini file
- if upgrading (cd plugins ; rm emergingthreats.detail.jade opendns.detail.jade threatq.detail.jade threatstream.detail.jade)
- New offlineFilenameRegex setting to control witch files are matched with -R (issue #313)
- monitor + recursive should monitor new directories (issue #305)
- Fixed addUser.js error with when mulitple es nodes are listed in config.ini (issue #322)
- WISE - Tagger files can have views defined with #view:
- New cert.notbefore, cert.notafter, cert.validfor fields (issue #329)
- New starttime, stoptime, view fields (issue #307)
- New tls.sessionid.dst, tls.sessionid.src, tls.sessionid fields (issue #326)
- Use ELS doc_values for some fields to reduce ES memory
- Added cert.cnt back
- Handle bad ip.protocol strings better (issue #330)
- Added dontSaveBPFs config
- Switched capture memory reporting to more accurate getrusage
- Added capture cpu reporting to stats (requires db.pl upgrade)
0.11.2 2014/10/16
- NOTICE: ES 1.1.x, 1.2.x, 1.3.x are supported by this version.
ES 0.90.12 still works but will no longer be supported.
Restart viewer AFTER upgrading ES versions
- NOTICE: Requires running db.pl upgrade
- NOTICE: Requires running npm update for ES 1.3 support
- New experimental "Cron Queries" feature
* ONE and ONLY one viewer should have "cronQueries=true"
* New [moloch-clusters] config section to send sessions
from one cluster to another
- Doubled the number of sockets from viewer to ES, now 20
- Regex and wildcard support for file expression
- Regex is stricter about back slashing (issue #281)
- Cache user lookups for 5 seconds
- dontSaveTags config can now have a :<num> for each tag which
specifies the total packets to save. (issue #278)
- Allow multiple -r and -R options
- Fixed update vs upgrade message (issue #287)
- Fixed expression errors not displayed on connections tab (issue #288)
- Added vlan and mac.src, mac.dst, mac indexing/expressions (issue #284)
- Can disable/enable fields from being indexed with
'./db.pl <host:port> field disable <expression>'
- Directory monitoring support (issue #191)
* --monitor (-m) to enable
* --recursive required to monitor recursively
- --delete removes files after processing, requires --copy
- --skip (-s) skips files that have already been processed
- Tagger now loads items from ES faster
- Tagger now supports setting almost any field using match;FIELD=value;FIELD2=value2
It is now possible to have a different tag per match
- Tagger now supports matching email and uri paths
- Sort session sections
- New http.cookie.key expression
- Handle larger SSL/TLS certificates
- New fields can be defined in tagger input files
- New tls.version and tls.cipher fields
0.11.1 2014/08/07
- NOTICE: ES 0.90.12+, 1.1.x, 1.2.0 are supported by this version.
ES 1.0 is NOT supported.
This is the LAST version to support 0.90.x
Restart viewer AFTER upgrading ES versions
- NOTICE: When upgrading your runes.sh for 1.x add a -d to the
command, ES no longer runs in background by default
- Parsers can register for session save events (issue #248)
- Fix compressES check with ES 1.x (issue #255)
- Show error for ip queries with regex or wildcard (issue #252)
- added session.segments and session.length (issue #254)
- support elasticsearch=http:// or https:// format (issue #249)
- Only libmagic the first 50 bytes
- users tab can now sort various tabs
- Turn of bloom filter for previous indexes if using db.pl expire
- Set threadpool search queue size to unlimited
- stats page works again with dynamic scripts disabled
- New db.pl rm-missing command (issue #242)
- Upgrade qtip2 to 2.2.0
- Mouse over view names shows expression (issue #220)
- Display SPI Data even if node is unavailabe (issue #219)
- Netflow plugin timestamp fixes (issue #241)
- Comma seperate list of elasticsearch hosts (issue #176)
- New includes directive (issue #144)
- Initial bigendian support in viewer (issue #259)
- List queries can now have wildcard and regex items.
example: http.uri = [term, w*ldcard, /.*regex/]
- freeSpaceG now supports a percentage
- Show up to 25 items of each SPI data field with a ...
to show more (issue #262)
- If a http header went across two packets the leading piece
would be chopped
0.11.0 2014/05/08
- BREAKING: elasticsearch 0.90.7 or newer required, recommend 0.90.12+,
1.x not supported yet
- BREAKING: node 0.10.20 or newer required, 0.11+ not supported yet
- BREAKING: Many of the older expression that were kept for backwards
compatibility no longer work
- BREAKING: All plugins need to be updated and rebuilt
- BREAKING: Glib 2.30 or newer is now required, short term workaround is
adding "#define G_VALUE_INIT { 0, { { 0 } } }" to moloch.h, but please upgrade
- BREAKING: switched to official elasticsearch javascript client,
npm update required (issue #222)
- Major internal fields refactoring
- Fields are now 'easy' to create, only need to change 2 places
- db.pl upgrade should be needed less often
- Plugins/Parsers can have their own sessionDetail UI
- New protocols, dns.status, dns.query.type, dns.query.class fields
- Fixed bug with http parser not capturing last query value
- http connecting is now mostly async for faster startup (issue #225)
- tagger loading is now mostly async for faster startup
- titleTemplate config option (issue #229)
- output buffers are now mmaped so they are more likely to be returned to OS
- free output buffers are now cached, controlled by maxFreeOutputBuffers
- More untagging, new fields http.method, http.statuscode, http.bodymagic