YAF Release 2.8.4, 2016-Apr-14

Downloads

(MD5=c051c99420e62714ec0e90a3abcfe822)

(SHA1=a889fd210f47448c3efcbd1906508ea5de399a64)

(SHA256=4ce75938de40f2a27dcc360ac6a4930e55e9d5c1bd27fd77e4c66fd48faa8d02)

(RIPEMD160=3b4dc3079b7b552958cdab08d1238586716a3684)

Notes

  • Fix incompatibility with older versions of libpcap introduced in 2.8.3

YAF Release 2.8.3, 2016-Apr-12

Downloads

(MD5=b811da5bcced8da52e248e979f127117)

(SHA1=c902e25abef374019f3c2ac3a020d07202f557ba)

(SHA256=69037bb9d63736eb778e2d2c8f443ffd1ffa377ec925ce351ea0c027e4fe3568)

(RIPEMD160=0d2ccadaae9405e2b2c14eb84fd14572e031c4a8)

Notes

  • Important bug fix for versions 2.8.x. Fixes a bug in decoding specific TCP Options headers.

YAF Release 2.8.2, 2016-Apr-5

Downloads

(MD5=3228418a33ade435a92d4028b90d717d)

(SHA1=d06e6125b44865f7dfb03f84b5f2257259c6edcc)

(SHA256=260a6dac08c143ef3ad98ef3b439aa247396226818053e9a136a02f16119a663)

(RIPEMD160=a3e778cddfc2a41727d90a90c6d01dc8ac2d0909)

Notes

  • Fix application labeling bug introduced in 2.8.0 which incorrectly labels particular REGEX labels
  • Other Bug Fixes

YAF Release 2.8.1, 2016-Feb-4

Downloads

(MD5=3aa2516b6d5a008145fe42f8095b471f)

(SHA1=4e6db8104d4130429b9513a141be6aa849cdeb71)

(SHA256=adbda0b3ef15325c20497609d422eda0bfbcc43a9cc015eb29812070cec75882)

(RIPEMD160=c36d2464bebd4f401602ae75b906648ec9dfe73f)

Notes

  • Fix compile error when configured with --disable-payload
  • Force buffer emit with IPFIX Options record when inactive

YAF Release 2.8.0, 2015-Dec-22

Downloads

(MD5=da29315b319209b9f2e57bbb9ee1e87c)

(SHA1=ec602d75d16fc5af1dc59839f89fdf40d801e98f)

(SHA256=b0f7f52980f2d05eaf5cca75a6299c3e9f65c972823e0bef8673dbe4324c507d)

(RIPEMD160=1184bcc2a6c541ca90fab96ea075f467810ea06a)

Notes

  • Remove support for fixbuf releases prior to libfixbuf-1.7.0
  • PF_RING support
  • PF_RING ZC (Zero Copy) support
  • Add support for gzip'd PCAP files
  • Add support for decoding MPTCP headers and exporting MPTCP information
  • Add LUA configuration file for yaf startup
  • New SSL Server Name field export from TLS/SSL Client Hello
  • New option for exporting entire X.509 Certificate
  • Add Fragment flag to flowAttributes to signify that a flow contained fragmented packets
  • DHCP fingerprinting plugin now exports basic list of options by default
  • ipfixDump prints number of records for each template
  • Bug Fix for labeling DNS over TCP
  • Bug Fix for reverseFlowDeltaMilliseconds field
  • Bug Fix for collecting X.509 Certificates through a proxy
  • More detailed information about ignored packets on termination/SIGUSR1

YAF Release 2.7.1, 2015-Jan-27

Downloads

(MD5=7b60c21504ee0a37fd3c334efc820872)

(SHA1=e3dcd111553a5e1b1eb0eb20cb5019591e3c10b9)

(SHA256=)

(RIPEMD160=)

Notes

  • Fix a bug with --flow-stats in particular configurations

YAF Release 2.7.0, 2015-Jan-7

Downloads

(MD5=62ad30dafa4c6b6f60cdc53996b43c6e)

(SHA1=01d84b5047120767bd031598a6e6cd98c2171e0c)

(SHA256=)

(RIPEMD160=)

Notes

  • New Gh0st RAT Application Label
  • New NetBIOS Datagram Service Application Label
  • yafMeta2Pcap can now accept IPFIX input
  • getFlowKeyHash now exports IPFIX
  • Support for indexing PCAPNG files
  • New YAF option --no-output to produce no IPFIX output
  • New YAF options --hash and --stime to search for a single flow with the given hash and start\ time
  • DNS DPI now exports query section of resource record for all responses with nonzero RCODE
  • Faster searching of pcap-meta files
  • Implement SAME_SIZE flag for TCP flows
  • Minor Bug Fixes

YAF Release 2.6.0, 2014-Sep-3

Downloads

(MD5=5e2dd0430db21ba7f7c3b28b38a9a7ac)

(SHA1=ac1ac70a8d1ed8b8dbbfd5ec803880a74fa2894b)

(SHA256=)

(RIPEMD160=)

Notes

  • Added a new tool, ipfixDump, to read and dump the contents of IPFIX files. Requires Fixbuf 1.4.0 or later.
  • Add LDAP application label
  • Filedaemon can now move files from one directory to another without passing to a child program
  • SSL/TLS DPI modification to capture SSL record version
  • Update CERT PEN Information Elements to use full information model if Fixbuf 1.4.0 or later is available
  • Fix for Modbus application label to reduce false positives
  • Bug Fix for TOS field when running with --uniflow
  • Bug Fix in RPM spec file
  • Bug Fix for labeling malformed DNS packets
  • Bug Fix for processing out of order packets with --force-read-all
  • Bug Fix for exporting reverse payload
  • Other minor bug fixes

YAF Release 2.5.0, 2014-Mar-4

Downloads

(MD5=bc9d7a8f17e0a354512ae5de936b9eca)

(SHA1=808449efa2cc7b11498efc4a317c820dc3fe0192)

(SHA256=)

(RIPEMD160=)

Notes

  • Bug Fix for indexing rolling pcap files
  • Added MPLS flow hashing and label export
  • Add option for yafMeta2Pcap to take a list of pcap files
  • Non-IP flow data can be exported in MPLS mode
  • Added Napatech 3GD support
  • Added Netronome support
  • Added DNP3 application labeling and configurable DPI
  • Added Modbus application labeling and configurable DPI
  • Added Ethernet/IP application labeling and configurable DPI
  • YAF DPI plugin now exports RTP Payload Type
  • Added compile time option to enable local-time logging
  • New Bittorrent application label
  • Added Daemonizing capability within YAF
  • Added option to disable promiscuous mode on device
  • Added LDP application label for MPLS support
  • Added Juniper Ethernet (DLT_JUNIPER_ETHER) link layer support
  • getFlowKeyHash can now accept IPFIX input
  • Interface recording is now enabled by default for capture cards
  • Bug Fix for pcap-per-flow option
  • Type of Service Field now exported

YAF Release 2.4.0, 2013-May-3

Downloads

(MD5=27a3c5bc7f45da67f1d395e969232824)

(SHA1=0c5efb5543e61d0acd91b7e2b028d8f6d3497ae8)

(SHA256=)

(RIPEMD160=)

Notes

  • New HTTP DPI Fields
  • Updated DPI Elements
  • Bug Fix to not replace yaf.conf on install
  • New application label: VMware server console
  • Added support to decode ERSPAN headers
  • Drop statistics are updated when statistics messages are exported
  • yafcollect bug fix
  • Other Bug Fixes

YAF Release 2.3.3, 2013-Jan-30

Downloads

(MD5=45a08384bfe43d62101fc0b9d4d85ceb)

(SHA1=c97ace1ba4d0887cbe0d0e5b9bf5549af2eb12b4)

(SHA256=)

(RIPEMD160=)

Notes

  • init.d script improvements
  • Allow yafmeta2pcap to accept multiple files
  • Report drop statistics on SigUsr1
  • Bug Fixes

YAF Release 2.3.2, 2012-Sep-14

Downloads

(MD5=2f69d03ec267fff15294d3b46eda6d6a)

(SHA1=649382ab3c8b44bdcadbff00b4199174bdd2ca21)

(SHA256=)

(RIPEMD160=)

Notes

  • Bug Fix to maintain compatibility with older versions of GLib and libpcap

YAF Release 2.3.1, 2012-Sep-10

Downloads

(MD5=e5aedbea94ccfa8dee94c529963763c5)

(SHA1=d05b477c5dd96801d2fdcd6a00a7ae73023ffa6e)

(SHA256=)

(RIPEMD160=)

Notes

  • DPI Improvements
  • Additional Pcap Export Option --index-pcap
  • Add option to manually set ingress/egress interface fields
  • Add tool to create pcap from pcap metafile
  • Bug Fixes

YAF Release 2.3.0, 2012-Jul-31

Downloads

(MD5=840836a94d07e00c4e3cedbbda318c9d)

(SHA1=3a103b958b0b60dbd4ca06a34c6b3ce512b70660)

(SHA256=)

(RIPEMD160=)

Notes

  • Added DHCP Fingerprinting Capability
  • Added ability to export DNSSEC information
  • Significant X.509 Certificate Capture and Export Enhancements
  • Added Bivio Interface Labeling
  • DPI Improvements
  • Added Enhanced Flow Attributes and Statistics Export
  • Added ability to index PCAP file
  • Added New Application Labels: MGCP, MEGACO
  • Bug Fixes

YAF Release 2.2.2, 2012-Mar-30

Downloads

(MD5=033658f3b04ae67573414e805d84a7cf)

(SHA1=03ea518d322d3ce76f312a71e5e444eb5a6a7273)

(SHA256=)

(RIPEMD160=)

Notes

  • Bug Fix for Vlan Tagging

YAF Release 2.2.1, 2012-Mar-8

Downloads

(MD5=69a84be4240a776b90a8a1e277724330)

(SHA1=4167adb8b0c8483c8f52e20a9a64b3be886a3a8c)

(SHA256=)

(RIPEMD160=)

Notes

  • Bug Fixes

YAF Release 2.2.0, 2012-Feb-29

Notes

  • New Application Labels (MSNP, RTP, RTCP, Jabber)
  • Rolling Pcap output and pcap-per-flow options.
  • CERT p0f Fingerprints included.
  • New option to process out-of-sequence flows.
  • Several other bug fixes.

YAF Release 2.1.2, 2011-Sep-23

Notes

  • Added new --plugin-conf switch for adding a configuration file to a plugin
  • Added new --p0f-fingerprints switch to give location of p0f fingerprint files
  • Bug Fixes

YAF Release 2.1.1, 2011-Aug-11

Notes

  • Important bug fix for application labeling SSL plugin

YAF Release 2.1.0, 2011-Jul-27

Notes

  • New Information Element exported in every flow record, flowAttributes (CERT PEN 6871, IE 40).
  • YAF now checks if a flow has fixed-size packets and exports this flag using the new flowAttributes Information Element (see yaf)
  • Reset Application Label on UDP-uniflows for Deep Packet Inspection
  • Fixed yafscii invalid parameter bug that may have existed on certain platforms
  • Added VNC (RFB Protocol) application label
  • DPI Enhancements
  • FlowEndReason IPFIX field is now set to 31 for udp-uniflows
  • For Cygwin: Added support for getting the yaf config directory via the Windows Registry
  • Several other bug fixes

YAF Release 2.0.2, 2011-Jun-13

Notes

  • Improvements with Reassembly of TCP Fragments.
  • Bug Fix for DNS Deep Packet Inspection.
  • --no-frag switch now works.
  • Bug Fix for expiring flows that exceed the idle timeout when reading from a file.
  • Added the ability to configure YAF with WinPCAP.

YAF Release 2.0.1, 2011-May-23

Notes

  • Bug Fix for compile error with --enable-daginterface
  • Enhancement for SNMPv3 application labeler

YAF Release 2.0.0, 2011-Apr-28

Notes

  • This version requires libfixbuf-1.0.0 or greater.
  • Added Napatech Adapter Integration (requires libpcapexpress).
  • YAF now exports TCP, payload, finger printing, p0f, MAC, entropy, and DPI flow information within an IPFIX subTemplateMultiList data type.
  • Added the ability to export YAF capture statistics using IPFIX Options Templates.
  • The --stats or --no-stats were added to configure YAF stats output.
  • Added the ability to define Spread group types to use Spread as a manifold for flow export based on application, port, protocol, version, or vlan.
  • Added New Application Labels: DHCP, AIM, SOCKS, SMB, SNMP, NETBIOS.
  • Added a time-out buffer flush function.
  • Added SSL Certificate Capture.
  • Added DNS Resource Record Parsing.
  • Added Deep Packet Inspection for the MySQL protocol.
  • The --silk switch will maintain compatibility with SiLK by not nesting TCP information in the subTemplateMultiList data type.
  • Deep Packet Inspection elements are read from one configuration file.
  • Added the ability to create new DPI elements from configuration file.
  • Added UDP Export and Template Retransmission.
  • Many Bug fixes and other enhancements.

YAF Release 1.3.2, 2011-Feb-3

Notes

  • Bug fix for dnsplugin.c
  • Minor bug fix for fingerprint exporting.

YAF Release 1.3.1, 2010-Oct-6

Notes

  • Important bug fix for p0f or fpexport enabled code.
  • Fixed bug in DNS Application Labeling Decoder.
  • Removed machine learning code for future work.

YAF Release 1.3.0, 2010-Sep-20

Notes

  • Vlan tags are now a part of the flow key.
  • Vlan tags are now always exported.
  • --mac flag exports MAC addresses.
  • Fixed bug in DNS Application Labeling Decoder.
  • Fixed bug in libp0f Makefile.
  • Added --print-header switch to yafscii for use with tabular mode to print column headers.
  • Added --mac switch to yafscii to support printing of MAC addresses in tabular mode.

YAF Release 1.2.0, 2010-Jul-27

Notes

  • Spread support has been added into libfixbuf and YAF to allow publish subscribe distribution of YAF sensor output.
  • Plugin support has returned to YAF to support basic deep packet inspection (DPI) and application labeling (see yafdpi ).
  • Added 9 new protocols to the application labeling feature (see applabel).
  • Added ability for signature detection through the application labeling mechanism.
  • Added --udp-uniflow switch to capture each UDP packet on a set port and export the payload (for DNS dissector creation).
  • Added --udp-payload to concatenate and export payload up to the max-payload value.
  • DNS DPI can be restricted to Authoritative and NXDomain responses only via compile switches.
  • Enhanced payload capture for TCP streams with out-of-order SYN packets.
  • Fixed a bug in processing small (less than 64-packets) PCAP files.
  • Fixed IPv6 header options bug.
  • Fixed bug in parsing capability for strings longer than 80 columns.
  • Added p0f passive OS labeling capability from community libp0f.
  • Added Berkley Packet Filtering (BPF) switch --filter.

YAF Release 1.0.0.2, 2009-Mar-18

Notes

  • Fix to the --rotate switch so that it actually works.
  • Added the --noerror switch so that when a caplist set of PCAP files are processed, all files will be attempted even if there is a malformed PCAP in the middle of the list.
  • Added the --dag-interface switch (along with configure option --enable-daginterfaces) that will record the physical interface a packet arrived on in the flow table.

YAF Release 1.0.0, 2008-Sep-9

Notes

  • Airframe has now been merged into YAF and does not need to be separately installed.
  • Fixes to the configure system to allow external pcap libraries, (Bivio, nPulse, DAG) have been fixed.
  • multithreading in the future.

YAF Release 0.8.0, 2008-Jan-18

Notes

  • Add experimental packet classifier support to YAF.
  • Experimental plugin support has been removed.

YAF Release 0.7.2, 2007-Nov-30

Notes

  • Add experimental YAF plugin support.

YAF Release 0.7.1, 2007-Aug-29

Notes

  • Add ability to decode PPP and PPPoE headers.
  • Add experimental startup script in etc/.
  • Fix --lock option bug; change --rotate file naming to minimize collision.

YAF Release 0.7.0, 2007-Aug-15

Notes

  • Complete rewrite of YAF's main loop for simplicity and performance. Input and output command-line configuration options have changed, and some features are no longer available; see the yaf(1) manpage for details.
  • Complete rewrite of the packet decoder and fragment reassembler for IPv6 flow assembly and for future flexibility.
  • Add ability to decode IPv6 headers and create IPv6 flows.

YAF Release 0.6.0, 2007-May-17

Notes

  • Add tabular output to yafscii.
  • Add ability to decode IP over C-HDLC and GRE.
  • Update to fixbuf 0.6.0 API.
  • Add ability to export via IPFIX over TLS and IPFIX over SCTP.
  • Various bugfixes.

YAF Release 0.5.0, 2006-Sep-29

Notes

  • Add Endace DAG capture support.
  • Add ability to drop privileges during live capture.
  • Add ability to decode (but not export) MPLS information.
  • Update to fixbuf 0.5.0 API.
  • Numerous internal performance and reliability enhancements.

YAF Release 0.1.6, 2006-Jul-7

Notes

  • Add ability to process pcap trace files (those containing headers only, and not full packet payload).
  • Add ability to decode 802.1q VLAN headers, and to export VLAN tags.
  • Fix bugs in yafscii I/O handling that led to instability on close.

YAF Release 0.1.5, 2006-Jun-16

Notes

  • Changes to template handling for 0.4.0 libfixbuf release;
  • documentation tweaks; new --observation-domain option to set
  • observationDomainId on exported messages.

YAF Release 0.1.0, 2006-Mar-28

Notes

  • Initial public release of YAF. YAF is presently alpha-quality software.