Monitoring for Large-Scale Networks

YAF

Latest Downloads

The latest releases of YAF 2.x are listed below.

RPM Downloads

You can also find RPMs of YAF releases starting from 2.16.2 in our Yum repository.

(SHA256=eebab530828deed9628c0d25e3ef663ec36a5dd992603f50fdf5824e19a30dea)

(SHA256=e40f343b58fdf878e5983307f81f45953e77eec229855021b8e4658936012537)

Fixed a memory leak and potential crash when full cert export is enabled.
Fixed the accuracy of NNTP application labeling that caused several records to be mistakenly identified as NNTP.
Fixed issues where temporary files for decompressed PCAP files were not always removed, and improved error reporting when decompression fails.

(SHA256=2aeec41d7540b593d72fbd89b082bc6f1832e3a114b8335249a6d5c24b7e2377)

Added the capability to determine the application label of an active flow and modify the amount of payload based on the result. Use options --applabel-max-payload to set the amount of payload to store for an appLabel and --applabel-check-early to enable early appLabel detection.
Stopped the installation of yaf.conf into /etc which overwrote any previous file.
Improved the yaf.conf file and the start-up files for both systemd and SysV init.d-style control. Reference copies of the start-up files are now installed under $prefix/share/yaf.
Added counts of flows opened and the reasons flows were closed to the log file in both periodic messages and at shutdown, and reformatted those messages.
Added a periodic log message that provides counts since the previous periodic message.
Added the command line used to invoke yaf to the log file.
Added appLabel and DPI support Microsoft DNS-related protocols for LLMNR and MDNS.
Fixed an issue where some DNS records were not identified as such due to using newer RRTYPE values.
Fixed the accuracy of NNTP application labeling that caused several records to be mistakenly identified as NNTP.
Fixed issues where temporary files for decompressed PCAP files were not always removed, and improved error reporting when decompression fails.

(SHA256=2d361f602d04ff16cb4c6ffca31f0ba32a55ee4bf87e30a2d2d64fc13b81442e)

(SHA256=99a9e8651bcee516a20ddca093d248c5cda3890c5561b2dfd893c4414a0ed52b)

Added the ability for yaf to capture TLS DPI when a standard STML, IMAP, or POP3 connection uses STARTTLS or its equivalent (mid-encryption within the connection).
Changed IMAP DPI support to be a C plugin. The IMAP settings in yafApplabelRules.conf and yafDPIRules.conf have changed.
Modified yaf not to capture any payload included with TCP RST packets.
Added messages to yaf's log that show its version number, process ID, and up-time. They are written on startup, at shutdown, and when SIGUSR1 is received.
Updated the periodic log messages written when yaf sends a stats packet to include the current and peak flow table sizes.
Added a log message that yaf writes when it receives a shutdown signal.
Fixed issues that prevented yaf reading libpcap data from a named pipe.
Updated yafscii to print timestamps using microsecond precision.