What's new in Suricata 3.0.1
Jun 22, 2016
- Fixes for multiple stability issues
- Many memory leak fixes
- Hyperscan MPM support (experimental)
New in Suricata 2.1 Beta 4 (May 11, 2015)
- New Features:
- Feature #1448: xbits support
- Feature #336: Add support for NETMAP to Suricata
- Feature #885: smtp file_data support
- Feature #1394: Improve TCP reuse support
- Feature #1445: Suricata does not work on pfSense/FreeBSD interfaces using PPPoE
- Feature #1447: Ability to reject ICMP traffic
- Feature #1410: add alerts to EVE’s drop logs
- Improvements:
- Optimization #1014: app layer reassembly fast-path
- Optimization #1377: flow manager: reduce (try)locking
- Optimization #1403: autofp packet pool performance problems
- Optimization #1409: http pipeline support for stateful detection
- Bug #1314: http-events performance issues
- Bugs:
- Bug #1340: null ptr dereference in Suricata v2.1beta2
- Bug #1352: file list is not cleaned up
- Bug #1358: Gradual memory leak using reload (kill -USR2 $pid)
- Bug #1366: Crash if default_packet_size is below 32 bytes
- Bug #1378: stats api doesn’t call thread deinit funcs
- Bug #1384: tcp midstream window issue (master)
- Bug #1388: pcap-file hangs on systems w/o atomics support (master)
- Bug #1392: http uri parsing issue (master)
- Bug #1393: CentOS 5.11 build failures
- Bug #1398: DCERPC traffic parsing issue (master)
- Bug #1401: inverted matching on incomplete session
- Bug #1402: When re-opening files on HUP (rotation) always use the append flag.
- Bug #1417: no rules loaded – latest git – rev e250040
- Bug #1425: dead lock in de_state vs flowints/flowvars
- Bug #1426: Files prematurely truncated by detection engine even though force-md5 is enabled
- Bug #1429: stream: last_ack update issue leading to stream gaps
- Bug #1435: EVE-Log alert payload option loses data
- Bug #1441: Local timestamps in json events
- Bug #1446: Unit ID check in Modbus packet error
- Bug #1449: smtp parsing issue
- Bug #1451: Fix list-keywords regressions
- Bug #1463: modbus parsing issue
New in Suricata 2.0.8 (May 7, 2015)
- Changes:
- Bug #1450: tls parsing issue
- Bug #1460: pcap parsing issue
- Bug #1461: potential deadlock
- Bug #1404: Alert-Debuglog not being rotated on SIGHUP
- Bug #1420: inverted matching on incomplete session
- Bug #1462: various issues in rule and yaml parsing
New in Suricata 2.0.7 (Feb 28, 2015)
- Changes:
- Bug #1385: DCERPC traffic parsing issue
- Bug #1391: http uri parsing issue
- Bug #1383: tcp midstream window issue
- Bug #1318: A thread-sync issue in streamTCP
- Bug #1375: Regressions in list keywords option
- Bug #1387: pcap-file hangs on systems w/o atomics support
- Bug #1395: dump-counters unix socket command failure
- Optimization #1376: file list is not cleaned up
- Security:
- The DCERPC parsing issue has CVE-2015-0928 assigned to it.
New in Suricata 2.1 Beta 3 (Jan 30, 2015)
- New Features:
- Feature #1309: Lua support for Stats output
- Feature #1310: Modbus parsing and matching
- Improvements:
- Optimization #1339: flow timeout optimization
- Optimization #1371: mpm optimization
- Feature #1317: Lua: Indicator for end of flow
- Feature #1333: unix-socket: allow (easier) non-root usage
- Feature #1261: Request for Additional Lua Capabilities
- Bugs:
- Bug #977: WARNING on empty rules file is fatal (should not be)
- Bug #1184: pfring: cppcheck warnings
- Bug #1321: Flow memuse bookkeeping error
- Bug #1327: pcre pkt/flowvar capture broken for non-relative matches (master)
- Bug #1332: cppcheck: ioctl
- Bug #1336: modbus: CID 1257762: Logically dead code (DEADCODE)
- Bug #1351: output-json: duplicate logging (2.1.x)
- Bug #1354: coredumps on quitting on OpenBSD
- Bug #1355: Bus error when reading pcap-file on OpenBSD
- Bug #1363: Suricata does not compile on OS X/Clang due to redefinition of string functions (2.1.x)
- Bug #1365: evasion issues (2.1.x)
New in Suricata 2.0.6 (Jan 15, 2015)
- Changes:
- Bug #1364: evasion issues
- Bug #1337: output-json: duplicate logging
- Bug #1325: tls detection leads to tcp stream reassembly sequence gaps (IPS)
- Bug #1192: Suricata does not compile on OS X/Clang due to redefinition of string functions
- Bug #1183: pcap: cppcheck warning
New in Suricata 2.0.5 (Dec 30, 2014)
- Changes:
- Bug #1190: http_header keyword not matching when SYN|ACK and ACK missing
- Bug #1246: EVE output Unix domain socket not working
- Bug #1272: Segfault in libhtp 0.5.15
- Bug #1298: Filestore keyword parsing issue
- Bug #1303: improve stream ‘bad window update’ detection
- Bug #1304: improve stream handling of bad SACK values
- Bug #1305: fix tcp session reuse for ssh/ssl sessions
- Bug #1307: byte_extract, within combination not working
- Bug #1326: pcre pkt/flowvar capture broken for non-relative matches
- Bug #1329: Invalid rule being processed and loaded
- Bug #1330: Flow memuse bookkeeping error (2.0.x)
New in Suricata 2.0.4 (Sep 23, 2014)
- Changes:
- Bug #1276: ipv6 defrag issue with routing headers
- Bug #1278: ssh banner parser issue
- Bug #1254: sig parsing crash on malformed rev keyword
- Bug #1267: issue with ipv6 logging
- Bug #1273: Lua – http.request_line not working
- Bug #1284: AF_PACKET IPS mode not logging drops and stream inline issue
- Security:
- CVE-2014-6603
New in Suricata 2.1 Beta (Aug 13, 2014)
- New Features:
- Feature #1248: flow/connection logging
- Feature #1155 & #1208: Log packet payloads in eve alerts
- Improvements:
- Optimization #1039: Packetpool should be a stack
- Optimization #1241: pcap recording: record per thread
- Feature #1258: json: include HTTP info with Alert output
- AC matcher start up optimizations
- BM matcher runtime optimizations by Ken Steele
- Removals:
- ‘pcapinfo’ output was removed. Suriwire now works with the JSON ‘eve’ output
New in Suricata 2.0.3 (Aug 8, 2014)
- Bug #1236: fix potential crash in http parsing
- Bug #1244: ipv6 defrag issue
- Bug #1238: Possible evasion in stream-tcp-reassemble.c
- Bug #1221: lowercase conversion table missing last value
- Support #1207: Cannot compile on CentOS 5 x64 with –enable-profiling
- Updated bundled libhtp to 0.5.15
New in Suricata 2.0.2 (Jul 4, 2014)
- Notable changes:
- IP defrag issue leading to evasion. Bug discovered by Antonios Atlasis working with ERNW GmbH
- Support for NFLOG as a capture method. Nice work by Giuseppe Longo
- DNS TXT parsing and logging. Funded by Emerging Threats
- Log rotation through SIGHUP. Created by Jason Ish of Endace/Emulex
- All closed tickets:
- Feature #781: IDS using NFLOG iptables target
- Feature #1158: Parser DNS TXT data parsing and logging
- Feature #1197: liblua support
- Feature #1200: sighup for log rotation
- Bug #1098: http_raw_uri with relative pcre parsing issue
- Bug #1175: unix socket: valgrind warning
- Bug #1189: abort() in 2.0dev (rev 6fbb955) with pf_ring 5.6.3
- Bug #1195: nflog: cppcheck reports memleaks
- Bug #1206: ZC pf_ring not working with Suricata 2.0.1 (or latest git)
- Bug #1211: defrag issue
- Bug #1212: core dump (after a while) when app-layer.protocols.http.enabled = yes
- Bug #1214: Global Thresholds (sig_id 0, gid_id 0) not applied correctly if a signature has event vars
- Bug #1217: Segfault in unix-manager.c line 529 when using –unix-socket and sending pcap files to be analized via socket
New in Suricata 2.0.1 (May 21, 2014)
- Notable changes:
- OpenSSL Heartbleed detection. Thanks to Pierre Chifflier and Will Metcalf
- Fixed Unix Socket runmode
- Fixed AF_PACKET IPS support
- All closed tickets:
- Feature #1157: Always create pid file if –pidfile command line option is provided
- Feature #1173: tls: OpenSSL heartbleed detection
- Bug #978: clean up app layer parser thread local storage
- Bug #1064: Lack of Thread Deinitialization For Decoder Modules
- Bug #1101: Segmentation in AppLayerParserGetTxCnt
- Bug #1136: negated app-layer-protocol FP on multi-TX flows
- Bug #1141: dns response parsing issue
- Bug #1142: dns tcp toclient protocol detection
- Bug #1143: tls protocol detection in case of tls-alert
- Bug #1144: icmpv6: unknown type events for MLD_* types
- Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
- Bug #1146: tls: event on ‘new session ticket’ in handshake
- Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
- Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
- Bug #1161: eve: src and dst mixed up in some cases
- Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
- Bug #1163: HTP Segfault
- Bug #1165: af_packet – one thread consistently not working
- Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
- Bug #1176: AF_PACKET IPS mode is broken in 2.0
- Bug #1177: eve log do not show action ‘dropped’ just ‘allowed’
- Bug #1180: Possible problem in stream tracking
New in Suricata 2.0.1 RC 1 (May 12, 2014)
- Notable changes:
- OpenSSL Heartbleed detection. Thanks to Pierre Chifflier and Will Metcalf
- Fixed Unix Socket runmode
- Fixed AF_PACKET IPS support
- All closed tickets:
- Feature #1157: Always create pid file if –pidfile command line option is provided
- Feature #1173: tls: OpenSSL heartbleed detection
- Bug #978: clean up app layer parser thread local storage
- Bug #1064: Lack of Thread Deinitialization For Decoder Modules
- Bug #1101: Segmentation in AppLayerParserGetTxCnt
- Bug #1136: negated app-layer-protocol FP on multi-TX flows
- Bug #1141: dns response parsing issue
- Bug #1142: dns tcp toclient protocol detection
- Bug #1143: tls protocol detection in case of tls-alert
- Bug #1144: icmpv6: unknown type events for MLD_* types
- Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
- Bug #1146: tls: event on ‘new session ticket’ in handshake
- Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
- Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
- Bug #1161: eve: src and dst mixed up in some cases
- Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
- Bug #1163: HTP Segfault
- Bug #1165: af_packet – one thread consistently not working
- Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
- Bug #1176: AF_PACKET IPS mode is broken in 2.0
- Bug #1177: eve log do not show action ‘dropped’ just ‘allowed’
- Bug #1180: Possible problem in stream tracking
New in Suricata 2.0 (Mar 25, 2014)
- Bug #1151: tls.store not working when a TLS filter keyword is used
New in Suricata 2.0 RC 3 (Mar 20, 2014)
- Fixed:
- Bug #1127: logstash & suricata parsing issue
- Bug #1128: Segmentation fault – live rule reload
- Bug #1129: pfring cluster & ring initialization
- Bug #1130: af-packet flow balancing problems
- Bug #1131: eve-log: missing user agent reported inconsistently
- Bug #1133: eve-log: http depends on regular http log
- Bug #1135: 2.0rc2 release doesn’t set optimization flag on GCC
- Bug #1138: alert fastlog drop info missing
New in Suricata 2.0 RC 2 (Mar 7, 2014)
- Notable changes:
- eve-log is now enabled by default
- SSH parser is re-enabled
- SSH logging was added to ‘eve-log’
- bundled libhtp was updated to 0.5.10
- All closed tickets:
- Feature #952: Add VLAN tag ID to all outputs
- Feature #953: Add QinQ tag ID to all outputs
- Feature #1012: Introduce SSH log
- Feature #1118: app-layer protocols http memcap – info in verbose mode (-v)
- Feature #1119: restore SSH protocol detection and parser
- Bug #611: fp: rule with ports matching on portless proto
- Bug #985: default config generates rule warnings and errors
- Bug #1021: 1.4.6: conf_filename not checked before use
- Bug #1089: SMTP: move depends on uninitialised value
- Bug #1090: FTP: Memory Leak
- Bug #1091: TLS-Handshake: Uninitialized value
- Bug #1092: HTTP: Memory Leak
- Bug #1108: suricata.yaml config parameter – segfault
- Bug #1109: PF_RING vlan handling
- Bug #1110: Can have the same Pattern ID (pid) for the same pattern but different case flags
- Bug #1111: capture stats at exit incorrect
- Bug #1112: tls-events.rules file missing
- Bug #1115: nfq: exit stats not working
- Bug #1120: segv with pfring/afpacket and eve-log enabled
- Bug #1121: crash in eve-log
- Bug #1124: ipfw build broken
New in Suricata 2.0 RC 1 (Feb 14, 2014)
- Bug #839: http events alert multiple times
- Bug #954: VLAN decoder stats with AF Packet get written to the first thread only - stats.log
- Bug #980: memory leak in http buffers at shutdown
- Bug #1066: logger API's for packet based logging and tx based logging
- Bug #1068: format string issues with size_t + qa not catching them
- Bug #1072: Segmentation fault in 2.0beta2: Custom HTTP log segmentation fault
- Bug #1073: radix tree lookups are not thread safe
- Bug #1075: CUDA 5.5 doesn't compile with 2.0 beta 2
- Bug #1079: Err loading rules with variables that contain negated content.
- Bug #1080: segfault - 2.0dev (rev 6e389a1)
- Bug #1081: 100% CPU utilization with suricata 2.0 beta2+
- Bug #1082: af-packet vlan handling is broken
- Bug #1103: stats.log not incrementing decoder.ipv4/6 stats when reading in QinQ packets
- Bug #1104: vlan tagged fragmentation
- Bug #1106: Git compile fails on Ubuntu Lucid
- Bug #1107: flow timeout causes decoders to run on pseudo packets
- Feature #424: App layer registration cleanup - Support specifying same alproto names in rules for different ip protocols
- Feature #542: TLS JSON output
- Feature #597: case insensitive fileext match
- Feature #772: JSON output for alerts
- Feature #814: QinQ tag flow support
- Feature #894: clean up output
- Feature #921: Override conf parameters
- Feature #1007: united output
- Feature #1040: Suricata should compile with -Werror
- Feature #1067: memcap for http inside suricata
- Feature #1086: dns memcap
- Feature #1093: stream: configurable segment pools
- Feature #1102: Add a decoder.QinQ stats in stats.log
- Feature #1105: Detect icmpv6 on ipv4
New in Suricata 2.0 Beta 2 (Dec 19, 2013)
- Some notable improvements are:
- This release overhauls the protocol detection feature. It now considers both sides of connection, and will raise events on mismatches.
- DNS parser and logger was much improved.
- Tilera support was greatly improved.
- Lots of performance and code quality improvements.
- New features:
- Feature #234: add option disable/enable individual app layer protocol inspection modules
- Feature #417: ip fragmentation time out feature in yaml
- Feature #478: XFF (X-Forwarded-For) support in Unified2
- Feature #602: availability for http.log output – identical to apache log format
- Feature #751: Add invalid packet counter
- Feature #813: VLAN flow support
- Feature #901: VLAN defrag support
- Feature #878: add storage api
- Feature #944: detect nic offloading
- Feature #956: Implement IPv6 reject
- Feature #983: Provide rule support for specifying icmpv4 and icmpv6
- Feature #1008: Optionally have http_uri buffer start with uri path for use in proxied environments
- Feature #1009: Yaml file inclusion support
- Feature #1032: profiling: per keyword stats
- Improvements and Fixes
- Bug #463: Suricata not fire on http reply detect if request are not http
- Feature #986: set htp request and response size limits
- Bug #895: response: rst packet bug
- Feature #940: randomize http body chunks sizes
- Feature #904: store tx id when generating an alert
- Feature #752: Improve checksum detection algorithm
- Feature #746: Decoding API modification
- Optimization #1018: clean up counters api
- Bug #907: icmp_seq and icmp_id keywords broken with icmpv6 traffic
- Bug #967: threshold rule clobbers suppress rules
- Bug #968: unified2 not logging tagged packets
- Bug #995: tag keyword: tagging sessions per time is broken
New in Suricata 1.4.7 (Dec 16, 2013)
- Fixes:
- Bug #996: tag keyword: tagging sessions per time is broken
- Bug #1000: delayed detect inits thresholds before de_ctx
- Bug #1001: ip_rep loading problem with multiple values for a single ip
- Bug #1022: StreamTcpPseudoPacketSetupHeader : port swap logic isn’t consistent
- Bug #1047: detect-engine.profile – custom value parsing broken
- Bug #1063: rule ordering with multiple vars
New in Suricata 1.4.6 (Sep 24, 2013)
- Fixes:
- Bug 958: malformed SSL records leading to crash. Reported by Sebastian Roschke. CVE-2013-5919.
- Bug 971: AC pattern matcher out of bounds memory read.
- Bug 965: improve negated content handling. Reported by Will Metcalf.
- Bug 937: fix IPv6-in-IPv6 decoding.
- Bug 934: improve address parsing.
- Bug 969: fix unified2 not logging tagged packets.
New in Suricata 1.4.5 (Jul 26, 2013)
- Fixes:
- Bug #908: ipv6 extension header parsing issue causing Suricata to hang
- Bug #906: icmp_seq and icmp_id keyword with icmpv6 traffic FP & FN
New in Suricata 2.0 Beta 1 (Jul 19, 2013)
- New features:
- Luajit flow vars and flow ints support (#593)
- DNS parser, logger and keyword support (#792), funded by Emerging Threats
- deflate support for HTTP response bodies (#470, #775)
- Improvements:
- update to libhtp 0.5 (#775)
- improved gzip support for HTTP response bodies (#470, #775)
- redesigned transaction handling, improving both accuracy and performance (#753)
- redesigned CUDA support (#729)
- Be sure to always apply verdict to NFQ packet (#769)
- stream engine: SACK allocs should adhere to memcap (#794)
- stream: deal with multiple different SYN/ACK’s better (#796)
- stream: Randomize stream chunk size for raw stream inspection (#804)
- Introduce per stream thread ssn pool (#519)
- “pass” IP-only rules should bypass detection engine after matching (#718)
- Generate error if bpf is used in IPS mode (#777)
- Add support for batch verdicts in NFQ, thanks to Florian Westphal
- Update Doxygen config, thanks to Phil Schroeder
- Improve libnss detection, thanks to Christian Kreibich
- Fixes:
- Fix a FP on rules looking for port 0 and fragments (#847), thanks to Rmkml
- OS X unix socket build fixed (#830)
- bytetest, bytejump and byteextract negative offset failure (#827)
- Fix fast.log formatting issues (#771), thanks to Rmkml
- Invalidate negative depth (#774), thanks to Rmkml
- Fixed accuracy issues with relative pcre matching (#791)
- Fix deadlock in flowvar capture code (#802)
- Improved accuracy of file_data keyword (#817)
- Fix af-packet ips mode rule processing bug (#819), thanks to Laszlo Madarassy
- stream: fix injecting pseudo packet too soon leading to FP (#883), thanks to Francis Trudeau
New in Suricata 1.4.4 (Jul 18, 2013)
- Bug #834: Unix socket - showing as compiled when it is not desired to do so
- Bug #835: Unix Socket not working as expected
- Bug #841: configure --enable-unix-socket does not err out if libs/pkgs are not present
- Bug #846: FP on IP frag and sig use udp port 0, thanks to Rmkml
- Bug #864: backport packet action macro's
- Bug #876: htp tunnel fix
- Bug #877: Flowbit check with content doesn't match consistently, thanks to Francis Trudeau
New in Suricata 1.4.3 (Jun 21, 2013)
- Fixes:
- Fix missed detection in bytetest, bytejump and byteextract for negative offset (#828)
- Fix IPS mode being unable to drop tunneled packets (#826)
- Fix OS X Unix Socket build (#829)
New in Suricata 1.4.2 (Jun 21, 2013)
- Improvements:
- No longer force "nocase" to be used on http_host
- Invalidate rule if uppercase content is used for http_host w/o nocase
- Warn user if bpf is used in af-packet IPS mode
- Better test for available libjansson version
- Fixes:
- Fixed accuracy issues with relative pcre matching (#784)
- Improved accuracy of file_data keyword (#788)
- Invalidate negative depth (#770)
- Fix http host parsing for IPv6 addresses (#761)
- Fix fast.log formatting issues (#773)
- Fixed deadlock in flowvar set code for http buffers (#801)
- Various signature ordering improvements
- Minor stream engine fix
New in Suricata 1.4.1 (Mar 8, 2013)
- New features:
- GeoIP keyword, allowing matching on Maxmind’s database, contributed by Ignacio Sanchez (#559)
- Introduce http_host and http_raw_host keywords (#733, #743)
- Add python module for interacting with unix socket (#767)
- Add new unix socket commands: fetching config, counters, basic runtime info (#764, #765)
- Improvements:
- Big Napatech support update by Matt Keeler
- Configurable sensor id in unified2 output, contributed by Jake Gionet (#667)
- FreeBSD IPFW fixes by Nikolay Denev
- Add “default” interface setting to capture configuration in yaml (#679)
- Make sure “snaplen” can be set by the user (#680)
- Improve HTTP URI query string normalization (#739)
- Improved error reporting in MD5 loading (#693)
- Improve reference.config parser error reporting (#737)
- Improve build info output to include all configure options (#738)
- Fixes:
- Segfault in TLS parsing reported by Charles Smutz (#725)
- Fix crash in teredo decoding, reported by Rmkml (#736)
- fixed UDPv4 packets without checksum being detected as invalid (#760)
- fixed DCE/SMB parsers getting confused in some fragmented cases (#764)
- parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#697)
- FN: IP-only rule ip_proto not matching for some protocols (#689)
- Fix build failure with other libhtp installs (#688)
- Fix malformed yaml loading leading to a crash (#694)
- Various Mac OS X fixes (#700, #701, #703)
- Fix for autotools on Mac OS X by Jason Ish (#704)
- Fix AF_PACKET under high load not updating stats (#706)
New in Suricata 1.4 (Dec 14, 2012)
- New features:
- Unix socket mode for batched processing of series of pcap (#571, #552) (experimental)
- Interaction with Suricata via uix socket (#571, #552) (experimental)
- IP Reputation: loading and matching (#647) (experimental)
- New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346) (experimental)
- Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
- Support for pkt_data keyword was added (#423)
- Improved --list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)
- User and group to run as can now be set in the config file
- Add stream event to match on overlaps with different data in stream reassembly (#603)
- Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
- Rules can be set to inspect only IPv4 or IPv6 (#494)
- Added ability to control per server HTTP parser settings in much more detail (#503)
- Make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
- Filesize keyword for matching on sizes of files in HTTP (#489)
- Custom HTTP logging contributed by Ignacio Sanchez (#530)
- TLS certificate logging and fingerprint computation and keyword by Jean-Paul Roliers (#443)
- TLS certificate store to disk feature Jean-Paul Roliers (#444)
- AF_PACKET IPS support (#516)
- NFQ fail open support (#507)
- PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
- Support for Napatech cards through their 3rd generation driver was added by Matt Keeler from Npulse (#430, #619)
- Endace support improved
- New runmode for users of pcap wrappers (Myricom, PF_RING, others)
- Improvements:
- Add contrib directory to the dist (#567)
- Performance improvements to signatures with dsize option
- Improved rule analyzer: print fast_pattern along with the rule (#558)
- Fixes to stream engine reducing the number of events generated (#604)
- Stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592)
- HTTP handling in OOM condition was greatly improved (#557)
- Filemagic keyword performance was improved (#585)
- Updated bundled libhtp to 0.2.11
- Build system improvements and cleanups
- Live reloads now supports HTTP rule updates better (#522)
- AF_PACKET performance improvements (#197, #415)
- Make defrag more configurable (#517, #528)
- Improve pool performance (#518)
- Improve file inspection keywords by adding a separate API (#531)
- Example threshold.config file provided (#302)
- Changes since 1.4rc1:
- Decoder event matching fixed (#672)
- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#665)
- Add more events to IPv6 extension header anomolies (#678)
- Fix ICMPv6 payload and checksum calculation (#677, #674)
- Clean up flow timeout handling (#656)
- Fix a shutdown bug when using AF_PACKET under high load (#653)
- Fix TCP sessions being cleaned up to early (#652)
New in Suricata 1.3.5 (Dec 7, 2012)
- Fixes:
- Flow engine memory leak fixed by Ludovico Cavedon (#651)
- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#664)
- Flow manager mutex used unintialized, fixed by Ludovico Cavedon (#654)
- Windows building in CYGWIN fixed (#630)
New in Suricata 1.4 RC1 (Nov 29, 2012)
- New features:
- Interactive unix socket mode (#571, #552)
- IP Reputation: loading and matching (#647)
- Improved --list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)
- Improvements:
- Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494)
- User-Agent added to file log and filestore meta files (#629)
- Endace DAG supports live stats and at exit drop stats (#638)
- Add support for libhtp event "request port doesn't match tcp port" (#650)
- Fixes:
- Rules with negated addresses will not be considered IP-only (#599)
- Rule reloads complete much faster in low traffic conditions (#526)
- Suricata -h now displays all available options (#419)
- Luajit configure time detection was improved (#636)
- Flow manager mutex used w/o initialization (#628)
- Cygwin work around for windows shell mangling interface string (#372)
- Fix a Prelude output crash with alerts generated by rules w/o classtype or msg (#648)
- CLANG compiler build fixes (#649)
- Several fixes found by code analyzers
New in Suricata 1.4 Beta 3 (Nov 15, 2012)
- New features:
- support for Napatech cards through their 3rd generation driver was added by Matt Keeler from Npulse (#430, #619)
- support for pkt_data keyword was added
- user and group to run as can now be set in the config file
- make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
- PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
- add stream event to match on overlaps with different data in stream reassembly (#603)
- Improvements:
- add contrib directory to the dist (#567)
- performance improvements to signatures with dsize option
- improved rule analyzer: print fast_pattern along with the rule (#558)
- fixes to stream engine reducing the number of events generated (#604)
- stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592)
- HTTP handling in OOM condition was greatly improved (#557)
- filemagic keyword performance was improved (#585)
- updated bundled libhtp to 0.2.11
- build system improvements and cleanups
- Fixes:
- fixes and improvements to daemon mode (#624)
- fix drop rules not working correctly when thresholded (#613)
- fixed a possible FP when a regular and "chopped" fast_pattern were the same (#581)
- fix a false possitive condition in http_header (#607)
- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#627)
- fixes to rule profiling (#576)
- cleanups and misc fixes (#379, #395)
- fix to SSL record parsing
New in Suricata 1.3.4 (Nov 15, 2012)
- Fixes:
- fix crash in flow and host engines in cases of low memory or low memcap settings (#617)
- improve http handling in low memory conditions (#620)
- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#626)
- fix building on OpenBSD 5.2
- update default config's defrag settings to reflect all available options
- fixes to make check
- fix to SSL record parsing
New in Suricata 1.3.3 (Nov 2, 2012)
- Fixes:
- fix drop rules not working correctly when thresholded (#615)
- fix a false positive condition in http_header (#606)
- fix extracted file corruption (#601)
- fix a false positive condition with the pcre keyword and relative matching (#588)
- fix PF_RING set cluster problem on dma interfaces (#598)
- improve http handling in low memory conditions (#586, #587)
- fix FreeBSD inline mode crash (#612)
- suppress pcre jit warning (#579)
New in Suricata 1.4 Beta 2 (Oct 5, 2012)
- New features:
- New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346)
- Added ability to control per server HTTP parser settings in much more detail (#503)
- Improvements:
- Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540)
- Big performance improvement in inspecting decoder, stream and app layer events (#555)
- Pool performance improvements (#541)
- Improved performance of signatures with simple pattern setups (#577)
- Bundled docs are installed upon make install (#527)
- Support for a number of global vs rule thresholds was added (#425)
- Improved rule profiling performance
- If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded.
- Fixes:
- Fix compilation on architectures other than x86 and x86_64 (#572)
- Fix FP with anchored pcre combined with relative matching (#529)
- Fix engine hanging instead of exitting if the pcap device doesn't exist (#533)
- Work around for potential FP, will get properly fixed in next release (#574)
- Improve ERF handling. Thanks to Jason Ish
- Always set cluster_id in PF_RING
- IPFW: fix broken broadcast handling
- AF_PACKET kernel offset issue, IPS fix and cleanup
- Fix stream engine sometimes resending the same data to app layer
- Fix multiple issues in HTTP multipart parsing
- Fixed a lockup at shutdown with NFQ (#537)
New in Suricata 1.3.2 (Oct 4, 2012)
- Fixed a possible FP when a regular and "chopped" fast_pattern were the same (#562)
- Fixed a FN condition with the flow:no_stream option (#575)
- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
- Fix multiple issues in HTTP multipart parsing
- Fix stream engine sometimes resending the same data to app layer
- Always set cluster_id in PF_RING
- Defrag: silence some potentially noisy errors/warnings
- IPFW: fix broken broadcast handling
- AF_PACKET kernel offset issue
New in Suricata 1.4 Beta 1 (Sep 7, 2012)
- Custom HTTP logging contributed by Ignacio Sanchez (#530)
- TLS certificate logging and fingerprint computation and keyword (#443)
- TLS certificate store to disk feature (#444)
- Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
- AF_PACKET IPS support (#516)
- Rules can be set to inspect only IPv4 or IPv6 (#494)
- filesize keyword for matching on sizes of files in HTTP (#489)
- Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
- NFQ fail open support (#507)
- Highly experimental lua scripting support for detection
- Live reloads now supports HTTP rule updates better (#522)
- AF_PACKET performance improvements (#197, #415)
- Make defrag more configurable (#517, #528)
- Improve pool performance (#518)
- Improve file inspection keywords by adding a separate API (#531)
- Example threshold.config file provided (#302)
- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
- Various spelling corrections by Simon Moon (#533)
New in Suricata 1.3.1 (Aug 30, 2012)
- AF_PACKET performance improvements
- Defrag engine performance improvements
- HTTP: add per server options to enable/disable double decoding of URI (#464, #504)
- Stream engine packet handling for packets with non-standard flag combinations (#508)
- Improved stream engine handling of packet loss (#523)
- Stream engine checksum alerting fixed
- Various rule analyzer fixes (#495, #496, #497)
- (Rule) profiling fixed and improved (#460, #466)
- Enforce limit on max-pending-packets (#510)
- fast_pattern on negated content improved
- TLS rule keyword parsing issues
- Windows build fixes (#502)
- Host OS parsing issues fixed (#499)
- Reject signatures where content length is bigger than "depth" setting (#505)
- Removed unused "prune-flows" option
New in Suricata 1.3 (Jul 7, 2012)
- make live rule reloads optional and disabled by default
- fix a shutdown bug
- fix several memory leaks (#492)
- warn user if global and rule thresholding conflict (#455)
- set thread names on FreeBSD (Nikolay Denev)
- Fix PF_RING building on Ubuntu 12.04
- rule analyzer updates
- file inspection improvements when dealing with limits (#493)
New in Suricata 1.3 RC 1 (Jun 30, 2012)
- experimental live rule reload by sending a USR2 signal (#279)
- AF_PACKET BPF support (#449)
- AF_PACKET live packet loss counters (#441)
- Rule analyzer (#349)
- add pcap workers runmode for use with libpcap wrappers that support load balancing, such as Napatech's or Myricom's
- negated filemd5 matching, allowing for md5 whitelisting
- signatures with depth and/or offset are now checked against packets in addition to the stream (#404)
- http_cookie keyword now also inspects "Set-Cookie" header (#479)
- filemd5 keyword no longer depends on log-file output module (#447)
- http_raw_header keyword inspects original header line terminators (#475)
- deal with double encoded URI (#464)
- improved SMB/SMB2/DCERPC robustness
- ICMPv6 parsing fixes
- improve HTTP body inspection
- stream.inline accuracy issues fixed (#339)
- general stability fixes (#482, #486)
- missing unittests added (#471)
- "threshold.conf not found" error made more clear (#446)
- IPS mode segment logging for Unified2 improved
New in Suricata 1.3 Beta 2 (Jun 9, 2012)
- experimental support for matching on large lists of known file MD5 checksums
- Improved performance for file_data, http_server_body and http_client_body keywords
- Improvements to HTTP handling: multipart parsing, gzip decompression
- Byte_extract can support negative offsets now (#445)
- Support for PF_RING 5.4 added. Many thanks to Chris Wakelin (#459)
- HOME_NET and EXTERNAL_NET and the other vars are now checked for common errors (#454)
- Improved error reporting when using too long address strings (#451)
- MD5 calculation improvements for daemon mode and other cases (#449)
- File inspection scripts: Added Syslog action for logging to local syslog. Thanks to Martin Holste.
- Rule parser is made more strict.
- Unified2 output overhaul, logging individual segments in more cases.
- detection_filter keyword accuracy problem was fixed (#453)
- Don't inspect cookie header with http header (#461)
- Crash with a rule with two byte_extract keywords (#456)
- SSL parser fixes. Thanks to Chris Wakelin for testing the patches! (#476)
- Accuracy issues in HTTP inspection fixed. Thanks to Rmkml (#452)
- Improve escaping of some characters in logs (#418)
- Checksum calculation bugs fixed
- IPv6 parsing issues fixed. Thanks to Michel Saborde.
- Endace DAG issues fixed. Thanks to Jason Ish from Endace.
- Various OpenBSD related fixes.
- Fixes for bugs found by Coverity source code analyzer.
New in Suricata 1.3 Beta 1 (Apr 5, 2012)
- TLS/SSL handshake parser, tls.subjectdn and tls.issuerdn keywords (#296, contributed by Pierre Chifflier)
- Napatech capture card support (contributed by Randy Caldejon -nPulse)
- Scripts for looking up files / file md5's at Virus Total and others (contributed by Martin Holste)
- Test mode: -T option to test the config (#271)
- Ringbuffer and zero copy support for AF_PACKET
- Commandline options to list supported app layer protocols and keywords (#344, #414)
- File extraction for HTTP POST request that do not use multipart bodies
- On the fly md5 checksum calculation of extracted files
- Line based file log, in json format
- Basic support for including other yaml files into the main yaml
- New multi pattern engine: ac-bs
- Profiling improvements, added lock profiling code
- Improved HTTP CONNECT support in libhtp (#427, Brian Rectanus -Qualys)
- Unified yaml naming convention, including fallback support (by Nikolay Denev)
- Improved Endace DAG support (#431, Jason Ish -Endace)
- New default runmode: "autofp" (#433)
- Major rewrite of flow engine, improving scalability.
- Improved http_stat_msg and http_stat_code keywords (#394)
- Improved scalability for Tag and Threshold subsystems
- Made the rule keyword parser much stricter in detecting syntax errors
- Split "file" output into "file-store" and "file-log" outputs
- Much improved file extraction
- CUDA build fixes (#421)
- Various FP's reported by Rmkml (#403, #405, #411)
- IPv6 decoding and detection issues (reported by Michel Sarborde)
- PCAP logging crash (#422)
- Fixed many (potential) issues with the help of the Coverity source code analyzer
- Fixed several (potential) issues with the help of the cppcheck and clang/scan-build source code analyzers
New in Suricata 1.2.1 (Jan 23, 2012)
- fix malformed unified2 records when writing alerts trigger by stream inspection (#402)
- only force a pseudo packet inspection cycle for TCP streams in a state >= established
New in Suricata 1.2 (Jan 20, 2012)
- improved Windows/CYGWIN path handling (#387)
- fixed some issues with passing an interface or ip address with -i
- make live worker runmode threads adhere to the 'detect' cpu affinity settings
New in Suricata 1.2 RC 1 (Jan 12, 2012)
- app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events
- auto detection of checksum offloading per interface (#311)
- urilen options to match on raw or normalized URI (#341)
- flow keyword option "only_stream" and "no_stream"
- unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250)
- in IPS mode, reject rules now also drop (#399)
- http_header now also inspects response headers (#389)
- "worker" runmodes for NFQ and IPFW
- performance improvement for "ac" pattern matcher
- allow empty/non-initialized flowints to be incremented
- PCRE-JIT is now enabled by default if available (#356)
- many file inspection and extraction improvements
- flowbits and flowints are now modified in a post-match action list
- general performance increasements
- fixed parsing really high sid numbers >2 Billion (#393)
- fixed ICMPv6 not matching in IP-only sigs (#363)
New in Suricata 1.2 Beta 1 (Dec 20, 2011)
- File name, type inspection and extraction for HTTP
- filename, fileext, filemagic and filestore keywords added
- "file" output for storing extracted files to disk
- file_data keyword support, inspecting normalized, dechunked, decompressed HTTP response body (feature #241
- new keyword http_server_body, pcre regex /S option
- Option to enable/disable core dumping from the suricata.yaml (enabled by default)
- Human readable size limit settings in suricata.yaml
- PF_RING bpf support (required PF_RING >= 5.1) (feature #334)
- tos keyword support (feature #364)
- IPFW IPS mode does now support multiple divert sockets
- New IPS running modes, Linux and FreeBSD do now support "worker" and "autofp"
- Improved alert accuracy in autofp and single runmodes
- major performance optimizations for the ac-gfbs pattern matcher implementation
- unified2 output fixes
- PF_RING supports privilege dropping now (bug #367)
- Improved detection of duplicate signatures
New in Suricata 1.1.1 (Dec 8, 2011)
- Fix for a error in the smtp parser that could crash Suricata.
- Fix for AF_PACKET not compiling on modern linux systems like Fedora 16.
New in Suricata 1.1 (Nov 12, 2011)
- CUDA build fixed
- minor pcap, AF_PACKET and PF_RING fixes (#368)
- bpf handling fix
- Windows CYGWIN build
- more cleanups
New in Suricata 1.1 RC 1 (Nov 5, 2011)
- New features:
- extended HTTP request logging for use with (among other things) http_agent for Sguil (#38)
- AF_PACKET report drop stats on shutdown (#325)
- new counters in stats.log for flow and stream engines (#348)
- Improvements:
- SMTP parsing code support for BDAT command (#347)
- HTTP URI normalization no longer converts to lowercase (#362)
- AF_PACKET works with privileges dropping now (#361)
- Prelude output for state matches (#264, #355)
- Under the hood:
- update of the pattern matching code that should improve accuracy
- rule parser was made more strict (#295, #312)
- Notable Fixes & Changes:
- multiple event suppressions for the same SID was fixed (#366)
- several accuracy fixes
- removal of the unified1 output plugins (#353)
New in Suricata 1.0.5 (Jul 26, 2011)
- Fix stream reassembly bug #300. Thanks to Rmkml for the report.
- Fix several (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.
New in Suricata 1.0.4 (Jun 25, 2011)
- LibHTP updated to 0.2.6
- Large number of (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.
- Large number of (potential) issues fixed after source code scans with the Clang static analizer.
New in Suricata 1.1 Beta 2 (Apr 13, 2011)
- New features
- New keyword support: http_raw_uri (including /I for pcre), ssl_state, ssl_version (#258, #259, #260, #262).
- Inline mode for the stream engine (#230, #248).
- New keyword support: nfq_set_mark
- Included an example decoder-events.rules file
- api for adding and selecting runmodes was added
- pcap logging / recording output was added
- basic SCTP protocol parsing was added
- more fine grained CPU affinity setting support was added
- Improvements
- stream engine inspects stream in larger chunks
- fast_pattern support for http_method content modifier (#255)
- negation support for isdataat keyword (#257)
- configurable interval for stats.log updates (#247)
- new pf_ring runmode was added that scales better
- pcap live mode now handles the monitor interface going up and down
- several QA additions to "make check"
- NFQ (linux inline) mode was improved
- Fixes
- Alerts classification fix (#275)
- compiles and runs on big-endian systems (#63)
- unified2 output works around barnyard2 issues with DLT_RAW + IPv6
New in Suricata 0.9.1 (May 27, 2010)
- New features:
- support for the asn1 keyword added
- support for reading of ERF files added
- basic rule profiling functionality added
- ssl2/ssl3 app layer support added
- detection engine was made partly stateful
- Improvements:
- multiple regressions in the detection engine causing false negatives were fixed
- many accuracy and stability improvements were made
- icmp handling in the flow engine was improved