The latest pre-releases of YAF 3.x are listed below.

See also the latest YAF 2.x (stable) releases and all YAF releases.

YAF Binary Package

To install YAF via a pre-built RPM, see Install YAF from the CERT Linux Forensics Tools Repository on the YAF installation and dependencies page.

YAF Release 3.0.0.alpha4, 2023-Dec-21

Downloads

yaf-3.0.0.alpha4.tar.gz (1.8MiB)

(SHA256=2cf088518c7740bbea09152cda3009d8f01860acd0d4e77030668fa28a0512df)

Changelog

  • Added the ability to decode VxLAN-encapsulated packets, Geneve-encapsulated packets, and Geneve-encapsulated VxLAN-encapsulated packets.
  • Added a --no-mpls option to disable export of MPLS labels when YAF has been built with MPLS support.
  • Fixed TLS certificate parsing to be more selective on which values are stored in the list of sslObjectType-sslObjectValue pairs.

YAF Release 3.0.0.alpha3, 2023-Jul-18

Downloads

yaf-3.0.0.alpha3.tar.gz (1.8MiB)

(SHA256=fdda8e8efe417865ff71fc73502b69913563dab0229988e6279ebc20e94464bb)

Changelog

  • Changed DNS deep packet inspection to produce names and text records with escape codes for special characters (non-ASCII, non-printable, special whitespace, and label-internal dots in names).
  • Made DNS deep packet inspection more strict about parsing malformed DNS Resource Records across RR boundaries within the packet.
  • Enhanced the --time and --etime options of yafMeta2Pcap to accept a human-readable timestamp in addition to milliseconds.
  • Changed the destination of --version output to the standard output.
  • Changed yaf to only export the fingerprint-related elements (firstPacketBanner, etc) when the --fpexport option is given. (Requires YAF to be built with --enable-fpexporter.)
  • Changed yaf to only export the p0f-related elements (osName, etc) when the --p0fprint option is given. (Requires YAF to be built with --with-p0f.)
  • Fixed a crash in YAF that occurs when it is built with GLib 2.75.3 or newer.

YAF Release 3.0.0.alpha2, 2023-Feb-9

Downloads

yaf-3.0.0.alpha2.tar.gz (1.8MiB)

(SHA256=2c8b52ec9cb447f29897cc17e0d271b87cb940f515abdf6814b4c8dac5a7b468)

Changelog

  • Enhanced the deep packet inspection capabilities for SSH connections to include negotiated algorithms and HASSH hash.
  • Added the JA3 hash to the DPI for TLS connections.
  • Made several changes to the yafDPIRules.conf file for applabels written as C plugins: Allow the user to disable the export of arbitrary DPI elements and SMTP headers. Allow a protocol to be specified. Moved the regex definitions from C to yafDPIRules.conf.
  • Increased the maximum payload that YAF may capture for performing DPI.
  • Fixed a potential bug in the Shannon entropy calculation that may cause small differences in calculated values.

YAF Release 3.0.0.alpha1, 2022-Feb-28

Downloads

yaf-3.0.0.alpha1.tar.gz (1.8MiB)

(SHA256=f2d388ecd53d9c48686f92c1dc816fa0d3fe570f5b6e4a6cbfdc191a4acaeadf)

Changelog

  • Merged the configuration files yafApplabelRules.conf and yafDPIRules.conf into a single file written in Lua. Previous versions of those files will not work with this version of yaf.
  • Changed Deep Packet Inspection (DPI) support to be compiled into yaf when requested by configure; it is no longer a plug-in. Run configure with --enable-dpi to enable the capability; run yaf with --dpi to use it. Specifying --dpi enables application labeling; it is no longer necessary to explicitly specify --applabel when enabling DPI.
  • Changed yaf to export metadata about information elements and templates by default: both as compile-time and run-time options. To disable on an invocation, run yaf with the --no-element-metadata and/or --no-template-metadata switches. To disable support entirely, pass --disable-metadata-export to configure. (Note that super_mediator-2.0.0 works best with template metadata enabled.)
  • Updated yaf to use the enhanced template metadata available in libfixbuf-3.0.0. This allows yaf to declare that it only uses some templates within sub-records (that is, within a subTemplateList or subTemplateMultiList). The metadata also describes the information element yaf uses in its basicLists.
  • Added the yaf command line option --payload-applabel-select to enable exporting payload data for only selected appLabel values.
  • Updated the regular expressions used for application-labeling.
  • Changed numerous aspects of the DPI data.
  • Updated, rearranged, and fixed bugs in SMTP DPI.
  • Added fields for more DNSSEC values and fixed other bugs in DNS DPI.
  • Renamed the configure option --enable-p0fprinter to --with-p0f.
  • Renamed the configure option --enable-ndpi to --with-ndpi.
  • Fixed bugs in POP3 DPI.
  • Removed support for the Spread toolkit.
  • Removed support for the popt options parser.
  • Updated fixbuf requirement to libfixbuf-3.0.0.