The latest pre-releases of YAF 3.x are listed below.

See also the latest YAF 2.x (stable) releases and all YAF releases.

YAF Binary Package

To install YAF via a pre-built RPM, see Install YAF from the CERT Linux Forensics Tools Repository on the YAF installation and dependencies page.

YAF Release 3.0.0.alpha2, 2023-Feb-9

Downloads

yaf-3.0.0.alpha2.tar.gz (1.8MiB)

(SHA256=2c8b52ec9cb447f29897cc17e0d271b87cb940f515abdf6814b4c8dac5a7b468)

Changelog

  • Enhanced the deep packet inspection capabilities for SSH connections to include negotiated algorithms and HASSH hash.
  • Added the JA3 hash to the DPI for TLS connections.
  • Made several changes to the yafDPIRules.conf file for applabels written as C plugins: Allow the user to disable the export of arbitrary DPI elements and SMTP headers. Allow a protocol to be specified. Moved the regex definitions from C to yafDPIRules.conf.
  • Increased the maximum payload that YAF may capture for performing DPI.
  • Fixed a potential bug in the Shannon entropy calculation that may cause small differences in calculated values.

YAF Release 3.0.0.alpha1, 2022-Feb-28

Downloads

yaf-3.0.0.alpha1.tar.gz (1.8MiB)

(SHA256=f2d388ecd53d9c48686f92c1dc816fa0d3fe570f5b6e4a6cbfdc191a4acaeadf)

Changelog

  • Merged the configuration files yafApplabelRules.conf and yafDPIRules.conf into a single file written in Lua. Previous versions of those files will not work with this version of yaf.
  • Changed Deep Packet Inspection (DPI) support to be compiled into yaf when requested by configure; it is no longer a plug-in. Run configure with --enable-dpi to enable the capability; run yaf with --dpi to use it. Specifying --dpi enables application labeling; it is no longer necessary to explicitly specify --applabel when enabling DPI.
  • Changed yaf to export metadata about information elements and templates by default: both as compile-time and run-time options. To disable on an invocation, run yaf with the --no-element-metadata and/or --no-template-metadata switches. To disable support entirely, pass --disable-metadata-export to configure. (Note that super_mediator-2.0.0 works best with template metadata enabled.)
  • Updated yaf to use the enhanced template metadata available in libfixbuf-3.0.0. This allows yaf to declare that it only uses some templates within sub-records (that is, within a subTemplateList or subTemplateMultiList). The metadata also describes the information element yaf uses in its basicLists.
  • Added the yaf command line option --payload-applabel-select to enable exporting payload data for only selected appLabel values.
  • Updated the regular expressions used for application-labeling.
  • Changed numerous aspects of the DPI data.
  • Updated, rearranged, and fixed bugs in SMTP DPI.
  • Added fields for more DNSSEC values and fixed other bugs in DNS DPI.
  • Renamed the configure option --enable-p0fprinter to --with-p0f.
  • Renamed the configure option --enable-ndpi to --with-ndpi.
  • Fixed bugs in POP3 DPI.
  • Removed support for the Spread toolkit.
  • Removed support for the popt options parser.
  • Updated fixbuf requirement to libfixbuf-3.0.0.