Enhanced the deep packet inspection capabilities for SSH connections to include negotiated algorithms and HASSH hash.
Added the JA3 hash to the DPI for TLS connections.
Added support for reading VxLAN-encapsulated packets, Geneve-encapsulated packets, and Geneve-encapsulated VxLAN-encapsulated packets.
Fixed TLS certificate parsing to be more selective on which values are stored in the list of sslObjectType-sslObjectValue pairs.
Fixed a potential bug in the Shannon entropy calculation that may cause small differences in calculated values.

YAF Release 2.14.0, 2023-Mar-23

Downloads

yaf-2.14.0.tar.gz (2.1MiB)

(SHA256=cf9e40428690387de7db78e27981c47b72664e4129a6b348ed19ea831f2ee019)

Changelog

Changed DNS deep packet inspection to produce names and text records with escape codes for special characters (non-ASCII, non-printable, special whitespace, and label-internal dots in names).
Made DNS deep packet inspection more strict about parsing malformed DNS Resource Records across RR boundaries within the packet.
Changed destination of --version output to the standard output.
Fixed a crash in YAF that occurs when it is built with GLib 2.75.3 or newer.

YAF Release 2.13.0, 2023-Feb-9

Downloads

yaf-2.13.0.tar.gz (2.1MiB)

(SHA256=a4c0a7cec4b3e78cde7a9bcd051e3e6bcb88c671494745ac506f1843756a61a3)

Changelog

Added ability for yaf to limit payload export to a named set of applabels.
Increased the maximum payload that YAF may capture for performing DPI.
Added support for recent releases of nDPI.
Added yaf.init to the list of installed files.
Stopped export of full flow template that is never used for data records.
Fixed minor bug in --version where Compact IPv4 support always reported NO.
Fixed bugs in regular expressions for nntpResponseRegex and smtpURLRegex.

YAF Release 2.12.2, 2021-Oct-14

Downloads

yaf-2.12.2.tar.gz (2.1MiB)

(SHA256=0f3634887b68c695c80472ed17f3a2ebfbf86f841d23a2d48534afc8b637afcb)

Changelog

Added new protocols to the yafAppLabelRules.conf file and updated several regular expressions.
Changed the regexes used by the SMTP DPI plugin and improved capture when multiple messages appear in a single SMTP session.
Fixed a crash in the SMTP DPI plugin when reading uniflow records.
Updated the POP3 DPI plugin.
Updated yafzcbalance to be compatibile with PF_Ring-8.

YAF Release 2.11.3, 2021-Oct-14

Downloads

yaf-2.11.3.tar.gz (2.1MiB)

(SHA256=e8c914b14e26ed0241d1a693cb1f6e65db78735720f960acc2f8604cb762fcc8)

Changelog

Added new protocols to the yafAppLabelRules.conf file and updated several regular expressions.
Updated the SMTP regexes used in the yafDPIRules.conf file to be similar to those used by the smtpplugin in YAF 2.12.2.
Updated yafzcbalance to be compatibile with PF_Ring-8.
Note: The yafAppLabelRules.conf file yafDPIRules.conf files in this release are usuable in prior releases of YAF also.

YAF Release 2.12.1, 2020-Dec-22

Downloads

yaf-2.12.1.tar.gz (2.1MiB)

(SHA256=53bbdfddd4d6f59ac0d866fdb20e59653cc7f8541b44044bbb1ec1f981e21e27)

Changelog

Changed the templates and IEs used for SMTP DPI. The new templates use different IDs than those used by previous releases of YAF. super_mediator-1.8.0 or later is required to read this format. Currently there is no version of Analysis Pipeline that reads the SMTP DPI.
First public release of YAF 2.12.x.

YAF Release 2.11.2, 2020-Nov-20

Downloads

yaf-2.11.2.tar.gz (2.1MiB)

(SHA256=889a5d90a09ef837c0842a065dc2a8b95fb30603e054b7153d45fde33c19ad6b)

Changelog

Corrected the patch to allow building with PF_Ring.

YAF Release 2.11.1, 2020-Nov-19

Downloads

yaf-2.11.1.tar.gz (2.1MiB)

(SHA256=1f2f0275da803ca0fc4fd25d53f6349c0982c5f3e16585287787fe6a3dd02ec7)

Changelog

Fixed bugs in NTP and DNS deep packet inspection.
Fixed a compilation error when building with metadata export enabled.
Fixed possible compilation errors when building with nDPI support.
Fixed compilation errors when building with newer versions of PF_Ring.

YAF Release 2.11.0, 2019-Mar-18

Downloads

yaf-2.11.0.tar.gz (2MiB)

(SHA256=5e2523eeeaa5ac7e08f73b38c599f321ba93f239011efec9c39cfcbc30489dca)

Changelog

Support for libfixbuf 2.3.0 added, and is now required.
Added support for nDPI 2.0.
CERT Info Model support added.
More strict DNS applabel.
Initial NTP Mode 7 applabel support.
Improved POSIX compliance for init script.
Removed ipfixDump; it is now distributed with libfixbuf.
DNS DPI free segfault fix.
New YAF stats and tombstone format.

YAF Release 2.10.0, 2018-Apr-30

Downloads

yaf-2.10.0.tar.gz (2MiB)

(SHA256=ed13a5d9f4cbbe6e82e2ee894cf3c324b2bb209df7eb95f2be10619bbf13d805)

Changelog

Support for libfixbuf 2.0.0 added, and is now required.
Derive information elements from included XML files.
Various reporting/output bug fixes for ipfixDump.
Support for tombstone records added.

YAF Release 2.9.3, 2017-Dec-21

Downloads

yaf-2.9.3.tar.gz (2MiB)

(SHA256=a0dd7f8f8733b8554ee0b1458a38fad19734899313ed4a4eb9bcf96893d98e02)

Changelog

Fixed configure-time dependency for libndpi to limit use of v1.8.0 and greater.
Modified init script to give YAF more time to shut down gracefully.

YAF Release 2.9.2, 2017-Nov-8

Downloads

yaf-2.9.2.tar.gz (2MiB)

(SHA256=c6246dc64d9311a098b239a313c75f793ece02bac61daf2c83c26ac868bc0def)

Changelog

Fixed configure-time bug when using libfixbuf 1.7.1 (or earlier) and p0fprinter

YAF Release 2.9.1, 2017-Nov-2

Downloads

yaf-2.9.1.tar.gz (2MiB)

(SHA256=0dac324c2dae34d5bd84155af43425cd5543a6c1c7758158a772da00bb02c2c9)

Changelog

Fixed bug that could corrupt flow emitted to standard output

YAF Release 2.9.0, 2017-Oct-19

Downloads

yaf-2.9.0.tar.gz (2MiB)

(SHA256=24aa319a73287b33a2e0d838539e80163c0553fbb8ac386323f2982b1b03b60e)

Changelog

nDPI library support added
Added NTP applabel
Added RFC5610 template metadata (name and description) record output (libfixbuf 1.8.0 or greater required).
Add option --no-vlan-in-key to drop VLAN ID from hash calculation
Minor Bug Fixes

YAF Release 2.8.4, 2016-Apr-14

Downloads

yaf-2.8.4.tar.gz (2MiB)

(SHA256=4ce75938de40f2a27dcc360ac6a4930e55e9d5c1bd27fd77e4c66fd48faa8d02)

Changelog

Fix incompatibility with older versions of libpcap introduced in 2.8.3

YAF Release 2.8.3, 2016-Apr-12

Downloads

yaf-2.8.3.tar.gz (2MiB)

(SHA256=69037bb9d63736eb778e2d2c8f443ffd1ffa377ec925ce351ea0c027e4fe3568)

Changelog

Important bug fix for versions 2.8.x. Fixes a bug in decoding specific TCP Options headers.

YAF Release 2.8.2, 2016-Apr-5

Downloads

yaf-2.8.2.tar.gz (2MiB)

(SHA256=260a6dac08c143ef3ad98ef3b439aa247396226818053e9a136a02f16119a663)

Changelog

Fix application labeling bug introduced in 2.8.0 which incorrectly labels particular REGEX labels
Other Bug Fixes

YAF Release 2.8.1, 2016-Feb-4

Downloads

yaf-2.8.1.tar.gz (2MiB)

(SHA256=adbda0b3ef15325c20497609d422eda0bfbcc43a9cc015eb29812070cec75882)

Changelog

Fix compile error when configured with --disable-payload
Force buffer emit with IPFIX Options record when inactive

YAF Release 2.8.0, 2015-Dec-22

Downloads

yaf-2.8.0.tar.gz (2MiB)

(SHA256=b0f7f52980f2d05eaf5cca75a6299c3e9f65c972823e0bef8673dbe4324c507d)

Changelog

Remove support for fixbuf releases prior to libfixbuf-1.7.0
PF_RING support
PF_RING ZC (Zero Copy) support
Add support for gzip'd PCAP files
Add support for decoding MPTCP headers and exporting MPTCP information
Add LUA configuration file for yaf startup
New SSL Server Name field export from TLS/SSL Client Hello
New option for exporting entire X.509 Certificate
Add Fragment flag to flowAttributes to signify that a flow contained fragmented packets
DHCP fingerprinting plugin now exports basic list of options by default
ipfixDump prints number of records for each template
Bug Fix for labeling DNS over TCP
Bug Fix for reverseFlowDeltaMilliseconds field
Bug Fix for collecting X.509 Certificates through a proxy
More detailed information about ignored packets on termination/SIGUSR1

YAF Release 2.7.1, 2015-Jan-27

Downloads

yaf-2.7.1.tar.gz (1.5MiB)

(SHA256=b3fbaa667ea052bdb83a6e6a5bd6529daa93f8f926fa278778716f6dfadd8e5e)

Changelog

Fix a bug with --flow-stats in particular configurations

YAF Release 2.7.0, 2015-Jan-7

Downloads

yaf-2.7.0.tar.gz (1.5MiB)

(SHA256=a62db4865bca6e0635eb2bee3697e35e7e6419a52cb1e8dfea0ca9f543e85c76)

Changelog

New Gh0st RAT Application Label
New NetBIOS Datagram Service Application Label
yafMeta2Pcap can now accept IPFIX input
getFlowKeyHash now exports IPFIX
Support for indexing PCAPNG files
New YAF option --no-output to produce no IPFIX output
New YAF options --hash and --stime to search for a single flow with the given hash and start time
DNS DPI now exports query section of resource record for all responses with nonzero RCODE
Faster searching of pcap-meta files
Implement SAME_SIZE flag for TCP flows
Minor Bug Fixes

YAF Release 2.6.0, 2014-Sep-3

Downloads

yaf-2.6.0.tar.gz (1.5MiB)

(SHA256=7562d0e81e398fe491b81cad0b96996d2ac21f649d28ecda7ca258480dab6bb8)

Changelog

Added a new tool, ipfixDump, to read and dump the contents of IPFIX files. Requires Fixbuf 1.4.0 or later.
Add LDAP application label
Filedaemon can now move files from one directory to another without passing to a child program
SSL/TLS DPI modification to capture SSL record version
Update CERT PEN Information Elements to use full information model if Fixbuf 1.4.0 or later is available
Fix for Modbus application label to reduce false positives
Bug Fix for TOS field when running with --uniflow
Bug Fix in RPM spec file
Bug Fix for labeling malformed DNS packets
Bug Fix for processing out of order packets with --force-read-all
Bug Fix for exporting reverse payload
Other minor bug fixes

YAF Release 2.5.0, 2014-Mar-4

Downloads

yaf-2.5.0.tar.gz (1.5MiB)

(SHA256=79c3498a77e9be11487b22fb6c4fe886965042de3c875c6242b54c3f9e9a4c9d)

Changelog

Bug Fix for indexing rolling pcap files
Added MPLS flow hashing and label export
Add option for yafMeta2Pcap to take a list of pcap files
Non-IP flow data can be exported in MPLS mode
Added Napatech 3GD support
Added Netronome support
Added DNP3 application labeling and configurable DPI
Added Modbus application labeling and configurable DPI
Added Ethernet/IP application labeling and configurable DPI
YAF DPI plugin now exports RTP Payload Type
Added compile time option to enable local-time logging
New Bittorrent application label
Added Daemonizing capability within YAF
Added option to disable promiscuous mode on device
Added LDP application label for MPLS support
Added Juniper Ethernet (DLT_JUNIPER_ETHER) link layer support
getFlowKeyHash can now accept IPFIX input
Interface recording is now enabled by default for capture cards
Bug Fix for pcap-per-flow option
Type of Service Field now exported

YAF Release 2.4.0, 2013-May-3

Downloads

yaf-2.4.0.tar.gz (1.3MiB)

(SHA256=0f3a499db51d5e90337780f1ec538f2e53956f01f79652f9dd1d73e39f38f7fb)

Changelog

New HTTP DPI Fields
Updated DPI Elements
Bug Fix to not replace yaf.conf on install
New application label: VMware server console
Added support to decode ERSPAN headers
Drop statistics are updated when statistics messages are exported
yafcollect bug fix
Other Bug Fixes

YAF Release 2.3.3, 2013-Jan-30

Downloads

yaf-2.3.3.tar.gz (1.3MiB)

(SHA256=797c877d2f39c125a9327505780ce5dd526128411ed55a051d3bc87e9281ba75)

Changelog

init.d script improvements
Allow yafmeta2pcap to accept multiple files
Report drop statistics on SigUsr1
Bug Fixes

YAF Release 2.3.2, 2012-Sep-14

Downloads

yaf-2.3.2.tar.gz (1.3MiB)

(SHA256=81278e2fde3acaa8619de5b565803df3394fd4b75c71de6951e58d95dea3639e)

Changelog

Bug Fix to maintain compatibility with older versions of GLib and libpcap

YAF Release 2.3.1, 2012-Sep-10

Downloads

yaf-2.3.1.tar.gz (1.3MiB)

(SHA256=3f67edcca7bfacec53cce04eef5fc3a73d34581d37a3fb583682a6f7ce54dde6)

Changelog

DPI Improvements
Additional Pcap Export Option --index-pcap
Add option to manually set ingress/egress interface fields
Add tool to create pcap from pcap metafile
Bug Fixes

YAF Release 2.3.0, 2012-Jul-31

Downloads

yaf-2.3.0.tar.gz (1.3MiB)

(SHA256=48a9f8bf70cfa25a27ce8734944fee8bb9d5a810be4f32917e8b428499f03016)

Changelog

Added DHCP Fingerprinting Capability
Added ability to export DNSSEC information
Significant X.509 Certificate Capture and Export Enhancements
Added Bivio Interface Labeling
DPI Improvements
Added Enhanced Flow Attributes and Statistics Export
Added ability to index PCAP file
Added New Application Labels: MGCP, MEGACO
Bug Fixes

YAF Release 2.2.2, 2012-Mar-30

Downloads

yaf-2.2.2.tar.gz (1.3MiB)

(SHA256=866c700d48d65c9d22fb8901e992e57f967fec3a0c3b9d03844b93b31b1142ae)

Changelog

Bug Fix for Vlan Tagging

YAF Release 2.2.1, 2012-Mar-8

Downloads

yaf-2.2.1.tar.gz (1.3MiB)

(SHA256=40cddaa6c77d04f7511fe04b1eec2074c096887ae9e36a81d9ac894684547f16)

Changelog

Bug Fixes

YAF Release 2.2.0, 2012-Feb-29

Downloads

yaf-2.2.0.tar.gz (1.3MiB)

(SHA256=826001cfa6f6b3c16b481a8341fc262c2f6facb50230fcaaa02dbca29e2dde96)

Changelog

New Application Labels (MSNP, RTP, RTCP, Jabber)
Rolling Pcap output and pcap-per-flow options.
CERT p0f Fingerprints included. (https://tools.netsa.cert.org/p0f/)
New option to process out-of-sequence flows.
Several other bug fixes.

YAF Release 2.1.2, 2011-Sep-23

Downloads

yaf-2.1.2.tar.gz (1.2MiB)

(SHA256=e1e52293ff7d7a0b61f1125f4bd50c57c5ce8ef9bfe62fbe6940146ba8eb9187)

Changelog

Added new --plugin-conf switch for adding a configuration file to a plugin
Added new --p0f-fingerprints switch to give location of p0f fingerprint files
Bug Fixes

YAF Release 2.1.1, 2011-Aug-11

Downloads

yaf-2.1.1.tar.gz (1.2MiB)

(SHA256=078c7518f6bdc6f9c1a93ec0bc8613be4f9f8090b3ec9cff76f87ddcd54df212)

Changelog

Important bug fix for application labeling SSL plugin

YAF Release 2.1.0, 2011-Jul-27

Downloads

yaf-2.1.0.tar.gz (1.2MiB)

(SHA256=4bf5fe40c92ed5350eccc861cd074eb31c42f2278af0dafb9809d1cb033735f3)

Changelog

New Information Element exported in every flow record, flowAttributes (CERT PEN 6871, IE 40).
YAF now checks if a flow has fixed-size packets and exports this flag using the new flowAttributes Information Element. See the YAF man page for details.
Reset Application Label on UDP-uniflows for Deep Packet Inspection
Fixed yafscii invalid parameter bug that may have existed on certain platforms
Added VNC (RFB Protocol) application label
DPI Enhancements
FlowEndReason IPFIX field is now set to 31 for udp-uniflows
For Cygwin: Added support for getting the yaf config directory via the Windows Registry
Several other bug fixes

YAF Release 2.0.2, 2011-Jun-13

Downloads

yaf-2.0.2.tar.gz (1.2MiB)

(SHA256=ce554e0f0609288241cd1e82cf3936efa36ab702c3caf8ebac1c05d882339736)

Changelog

Improvements with Reassembly of TCP Fragments.
Bug Fix for DNS Deep Packet Inspection.
--no-frag switch now works.
Bug Fix for expiring flows that exceed the idle timeout when reading from a file.
Added the ability to configure YAF with WinPCAP.

YAF Release 2.0.1, 2011-May-23

Downloads

yaf-2.0.1.tar.gz (1.2MiB)

(SHA256=924689d379178c49c592182fe628c5a9e539b0bac48a9e7aa861465674108b9d)

Changelog

Bug Fix for compile error with --enable-daginterface
Enhancement for SNMPv3 application labeler

YAF Release 2.0.0, 2011-Apr-28

Downloads

yaf-2.0.0.tar.gz (1.2MiB)

(SHA256=4bc2a16b1cb6395dd70f7cf486bcdec6563298fc45d6740d0730cf02259d447d)

Changelog

This version requires libfixbuf-1.0.0 or greater.
Added Napatech Adapter Integration (requires libpcapexpress).
YAF now exports TCP, payload, finger printing, p0f, MAC, entropy, and DPI flow information within an IPFIX subTemplateMultiList data type.
Added the ability to export YAF capture statistics using IPFIX Options Templates.
The --stats or --no-stats were added to configure YAF stats output.
Added the ability to define Spread group types to use Spread as a manifold for flow export based on application, port, protocol, version, or vlan.
Added New Application Labels: DHCP, AIM, SOCKS, SMB, SNMP, NETBIOS.
Added a time-out buffer flush function.
Added SSL Certificate Capture.
Added DNS Resource Record Parsing.
Added Deep Packet Inspection for the MySQL protocol.
The --silk switch will maintain compatibility with SiLK by not nesting TCP information in the subTemplateMultiList data type.
Deep Packet Inspection elements are read from one configuration file.
Added the ability to create new DPI elements from configuration file.
Added UDP Export and Template Retransmission.
Many Bug fixes and other enhancements.

YAF Release 1.3.2, 2011-Feb-3

Downloads

yaf-1.3.2.tar.gz (1.2MiB)

(SHA256=448ae03ae486ae4f5cc3347267d823d1a460cf90bf2722ff83ec4afa4c75ae56)

Changelog

Bug fix for dnsplugin.c
Minor bug fix for fingerprint exporting.

YAF Release 1.3.1, 2010-Oct-6

Downloads

yaf-1.3.1.tar.gz (1.2MiB)

(SHA256=0c41dba35abf7d6890817351aacf12b2cb87d4d795a48157c3fb27810c56a097)

Changelog

Important bug fix for p0f or fpexport enabled code.
Fixed bug in DNS Application Labeling Decoder.
Removed machine learning code for future work.

YAF Release 1.3.0, 2010-Sep-20

Downloads

yaf-1.3.0.tar.gz (1.2MiB)

(SHA256=64ec823a42f7742b251820aee4cc5dee98f0d0f933f8bfcaf6bbeff3e2a04abe)

Changelog

Vlan tags are now a part of the flow key.
Vlan tags are now always exported.
--mac flag exports MAC addresses.
Fixed bug in DNS Application Labeling Decoder.
Fixed bug in libp0f Makefile.
Added --print-header switch to yafscii for use with tabular mode to print column headers.
Added --mac switch to yafscii to support printing of MAC addresses in tabular mode.

YAF Release 1.2.0, 2010-Jul-27

Downloads

yaf-1.2.0.tar.gz (1.2MiB)

(SHA256=e714954685667bdafa14c578feec0aac7ee333cde831c2495e47f9581450b4dc)

Changelog

Spread support has been added into libfixbuf and YAF to allow publish subscribe distribution of YAF sensor output.
Plugin support has returned to YAF to support basic deep packet inspection (DPI) and application labeling (see the yafdpi manual page).
Added 9 new protocols to the application labeling feature (see the applabel manual page).
Added ability for signature detection through the application labeling mechanism.
Added --udp-uniflow switch to capture each UDP packet on a set port and export the payload (for DNS dissector creation).
Added --udp-payload to concatenate and export payload up to the max-payload value.
DNS DPI can be restricted to Authoritative and NXDomain responses only via compile switches.
Enhanced payload capture for TCP streams with out-of-order SYN packets.
Fixed a bug in processing small (less than 64-packets) PCAP files.
Fixed IPv6 header options bug.
Fixed bug in parsing capability for strings longer than 80 columns.
Added p0f passive OS labeling capability from community (https://tools.netsa.cert.org/p0f/libp0f.html).
Added Berkley Packet Filtering (BPF) switch --filter.

YAF Release 1.0.0.2, 2009-Mar-18

Downloads

yaf-1.0.0.2.tar.gz (1MiB)

(SHA256=adbab9968a34445517839b7c53f087c793952d54d0d6912b8e219776fbbe21c6)

Changelog

Fix to the --rotate switch so that it actually works.
Added the --noerror switch so that when a caplist set of PCAP files are processed, all files will be attempted even if there is a malformed PCAP in the middle of the list.
Added the --dag-interface switch (along with configure option --enable-daginterfaces) that will record the physical interface a packet arrived on in the flow table.

YAF Release 1.0.0, 2008-Sep-9

Downloads

yaf-1.0.0.tar.gz (1MiB)

(SHA256=85f6e0e43e15c25aa2b4c529c5bdb7586c3718ee4f0b62c59757710dd81d770c)

Changelog

Airframe has now been merged into YAF and does not need to be separately installed.
Fixes to the configure system to allow external pcap libraries, (Bivio, nPulse, DAG) have been fixed.
multithreading in the future.

YAF Release 0.8.0, 2008-Jan-18

Downloads

yaf-0.8.0.tar.gz (866.4KiB)

(SHA256=703e7ffd10b0cd23e3db41e1c6e7e799bc0d9fbc3e54c578961521e5b49c6ccb)

Changelog

Add experimental packet classifier support to YAF.
Experimental plugin support has been removed.

YAF Release 0.7.2, 2007-Nov-30

Changelog

Add experimental YAF plugin support.

YAF Release 0.7.1, 2007-Aug-29

Changelog

Add ability to decode PPP and PPPoE headers.
Add experimental startup script in etc/.
Fix --lock option bug; change --rotate file naming to minimize collision.

YAF Release 0.7.0, 2007-Aug-15

Changelog

Complete rewrite of YAF's main loop for simplicity and performance. Input and output command-line configuration options have changed, and some features are no longer available; see the yaf(1) manpage for details.
Complete rewrite of the packet decoder and fragment reassembler for IPv6 flow assembly and for future flexibility.
Add ability to decode IPv6 headers and create IPv6 flows.

YAF Release 0.6.0, 2007-May-17

Changelog

Add tabular output to yafscii.
Add ability to decode IP over C-HDLC and GRE.
Update to fixbuf 0.6.0 API.
Add ability to export via IPFIX over TLS and IPFIX over SCTP.
Various bugfixes.

YAF Release 0.5.0, 2006-Sep-29

Changelog

Add Endace DAG capture support.
Add ability to drop privileges during live capture.
Add ability to decode (but not export) MPLS information.
Update to fixbuf 0.5.0 API.
Numerous internal performance and reliability enhancements.

YAF Release 0.1.6, 2006-Jul-7

Changelog

Add ability to process pcap trace files (those containing headers only, and not full packet payload).
Add ability to decode 802.1q VLAN headers, and to export VLAN tags.
Fix bugs in yafscii I/O handling that led to instability on close.