Softpedia >Mac >Security >Suricata >  Changelog

Suricata Changelog

What's new in Suricata 3.0.1

Jun 22, 2016
  • Fixes for multiple stability issues
  • Many memory leak fixes
  • Hyperscan MPM support (experimental)

New in Suricata 2.1 Beta 4 (May 11, 2015)

  • New Features:
  • Feature #1448: xbits support
  • Feature #336: Add support for NETMAP to Suricata
  • Feature #885: smtp file_data support
  • Feature #1394: Improve TCP reuse support
  • Feature #1445: Suricata does not work on pfSense/FreeBSD interfaces using PPPoE
  • Feature #1447: Ability to reject ICMP traffic
  • Feature #1410: add alerts to EVE’s drop logs
  • Improvements:
  • Optimization #1014: app layer reassembly fast-path
  • Optimization #1377: flow manager: reduce (try)locking
  • Optimization #1403: autofp packet pool performance problems
  • Optimization #1409: http pipeline support for stateful detection
  • Bug #1314: http-events performance issues
  • Bugs:
  • Bug #1340: null ptr dereference in Suricata v2.1beta2
  • Bug #1352: file list is not cleaned up
  • Bug #1358: Gradual memory leak using reload (kill -USR2 $pid)
  • Bug #1366: Crash if default_packet_size is below 32 bytes
  • Bug #1378: stats api doesn’t call thread deinit funcs
  • Bug #1384: tcp midstream window issue (master)
  • Bug #1388: pcap-file hangs on systems w/o atomics support (master)
  • Bug #1392: http uri parsing issue (master)
  • Bug #1393: CentOS 5.11 build failures
  • Bug #1398: DCERPC traffic parsing issue (master)
  • Bug #1401: inverted matching on incomplete session
  • Bug #1402: When re-opening files on HUP (rotation) always use the append flag.
  • Bug #1417: no rules loaded – latest git – rev e250040
  • Bug #1425: dead lock in de_state vs flowints/flowvars
  • Bug #1426: Files prematurely truncated by detection engine even though force-md5 is enabled
  • Bug #1429: stream: last_ack update issue leading to stream gaps
  • Bug #1435: EVE-Log alert payload option loses data
  • Bug #1441: Local timestamps in json events
  • Bug #1446: Unit ID check in Modbus packet error
  • Bug #1449: smtp parsing issue
  • Bug #1451: Fix list-keywords regressions
  • Bug #1463: modbus parsing issue

New in Suricata 2.0.8 (May 7, 2015)

  • Changes:
  • Bug #1450: tls parsing issue
  • Bug #1460: pcap parsing issue
  • Bug #1461: potential deadlock
  • Bug #1404: Alert-Debuglog not being rotated on SIGHUP
  • Bug #1420: inverted matching on incomplete session
  • Bug #1462: various issues in rule and yaml parsing

New in Suricata 2.0.7 (Feb 28, 2015)

  • Changes:
  • Bug #1385: DCERPC traffic parsing issue
  • Bug #1391: http uri parsing issue
  • Bug #1383: tcp midstream window issue
  • Bug #1318: A thread-sync issue in streamTCP
  • Bug #1375: Regressions in list keywords option
  • Bug #1387: pcap-file hangs on systems w/o atomics support
  • Bug #1395: dump-counters unix socket command failure
  • Optimization #1376: file list is not cleaned up
  • Security:
  • The DCERPC parsing issue has CVE-2015-0928 assigned to it.

New in Suricata 2.1 Beta 3 (Jan 30, 2015)

  • New Features:
  • Feature #1309: Lua support for Stats output
  • Feature #1310: Modbus parsing and matching
  • Improvements:
  • Optimization #1339: flow timeout optimization
  • Optimization #1371: mpm optimization
  • Feature #1317: Lua: Indicator for end of flow
  • Feature #1333: unix-socket: allow (easier) non-root usage
  • Feature #1261: Request for Additional Lua Capabilities
  • Bugs:
  • Bug #977: WARNING on empty rules file is fatal (should not be)
  • Bug #1184: pfring: cppcheck warnings
  • Bug #1321: Flow memuse bookkeeping error
  • Bug #1327: pcre pkt/flowvar capture broken for non-relative matches (master)
  • Bug #1332: cppcheck: ioctl
  • Bug #1336: modbus: CID 1257762: Logically dead code (DEADCODE)
  • Bug #1351: output-json: duplicate logging (2.1.x)
  • Bug #1354: coredumps on quitting on OpenBSD
  • Bug #1355: Bus error when reading pcap-file on OpenBSD
  • Bug #1363: Suricata does not compile on OS X/Clang due to redefinition of string functions (2.1.x)
  • Bug #1365: evasion issues (2.1.x)

New in Suricata 2.0.6 (Jan 15, 2015)

  • Changes:
  • Bug #1364: evasion issues
  • Bug #1337: output-json: duplicate logging
  • Bug #1325: tls detection leads to tcp stream reassembly sequence gaps (IPS)
  • Bug #1192: Suricata does not compile on OS X/Clang due to redefinition of string functions
  • Bug #1183: pcap: cppcheck warning

New in Suricata 2.0.5 (Dec 30, 2014)

  • Changes:
  • Bug #1190: http_header keyword not matching when SYN|ACK and ACK missing
  • Bug #1246: EVE output Unix domain socket not working
  • Bug #1272: Segfault in libhtp 0.5.15
  • Bug #1298: Filestore keyword parsing issue
  • Bug #1303: improve stream ‘bad window update’ detection
  • Bug #1304: improve stream handling of bad SACK values
  • Bug #1305: fix tcp session reuse for ssh/ssl sessions
  • Bug #1307: byte_extract, within combination not working
  • Bug #1326: pcre pkt/flowvar capture broken for non-relative matches
  • Bug #1329: Invalid rule being processed and loaded
  • Bug #1330: Flow memuse bookkeeping error (2.0.x)

New in Suricata 2.0.4 (Sep 23, 2014)

  • Changes:
  • Bug #1276: ipv6 defrag issue with routing headers
  • Bug #1278: ssh banner parser issue
  • Bug #1254: sig parsing crash on malformed rev keyword
  • Bug #1267: issue with ipv6 logging
  • Bug #1273: Lua – http.request_line not working
  • Bug #1284: AF_PACKET IPS mode not logging drops and stream inline issue
  • Security:
  • CVE-2014-6603

New in Suricata 2.1 Beta (Aug 13, 2014)

  • New Features:
  • Feature #1248: flow/connection logging
  • Feature #1155 & #1208: Log packet payloads in eve alerts
  • Improvements:
  • Optimization #1039: Packetpool should be a stack
  • Optimization #1241: pcap recording: record per thread
  • Feature #1258: json: include HTTP info with Alert output
  • AC matcher start up optimizations
  • BM matcher runtime optimizations by Ken Steele
  • Removals:
  • ‘pcapinfo’ output was removed. Suriwire now works with the JSON ‘eve’ output

New in Suricata 2.0.3 (Aug 8, 2014)

  • Bug #1236: fix potential crash in http parsing
  • Bug #1244: ipv6 defrag issue
  • Bug #1238: Possible evasion in stream-tcp-reassemble.c
  • Bug #1221: lowercase conversion table missing last value
  • Support #1207: Cannot compile on CentOS 5 x64 with –enable-profiling
  • Updated bundled libhtp to 0.5.15

New in Suricata 2.0.2 (Jul 4, 2014)

  • Notable changes:
  • IP defrag issue leading to evasion. Bug discovered by Antonios Atlasis working with ERNW GmbH
  • Support for NFLOG as a capture method. Nice work by Giuseppe Longo
  • DNS TXT parsing and logging. Funded by Emerging Threats
  • Log rotation through SIGHUP. Created by Jason Ish of Endace/Emulex
  • All closed tickets:
  • Feature #781: IDS using NFLOG iptables target
  • Feature #1158: Parser DNS TXT data parsing and logging
  • Feature #1197: liblua support
  • Feature #1200: sighup for log rotation
  • Bug #1098: http_raw_uri with relative pcre parsing issue
  • Bug #1175: unix socket: valgrind warning
  • Bug #1189: abort() in 2.0dev (rev 6fbb955) with pf_ring 5.6.3
  • Bug #1195: nflog: cppcheck reports memleaks
  • Bug #1206: ZC pf_ring not working with Suricata 2.0.1 (or latest git)
  • Bug #1211: defrag issue
  • Bug #1212: core dump (after a while) when app-layer.protocols.http.enabled = yes
  • Bug #1214: Global Thresholds (sig_id 0, gid_id 0) not applied correctly if a signature has event vars
  • Bug #1217: Segfault in unix-manager.c line 529 when using –unix-socket and sending pcap files to be analized via socket

New in Suricata 2.0.1 (May 21, 2014)

  • Notable changes:
  • OpenSSL Heartbleed detection. Thanks to Pierre Chifflier and Will Metcalf
  • Fixed Unix Socket runmode
  • Fixed AF_PACKET IPS support
  • All closed tickets:
  • Feature #1157: Always create pid file if –pidfile command line option is provided
  • Feature #1173: tls: OpenSSL heartbleed detection
  • Bug #978: clean up app layer parser thread local storage
  • Bug #1064: Lack of Thread Deinitialization For Decoder Modules
  • Bug #1101: Segmentation in AppLayerParserGetTxCnt
  • Bug #1136: negated app-layer-protocol FP on multi-TX flows
  • Bug #1141: dns response parsing issue
  • Bug #1142: dns tcp toclient protocol detection
  • Bug #1143: tls protocol detection in case of tls-alert
  • Bug #1144: icmpv6: unknown type events for MLD_* types
  • Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
  • Bug #1146: tls: event on ‘new session ticket’ in handshake
  • Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
  • Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
  • Bug #1161: eve: src and dst mixed up in some cases
  • Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
  • Bug #1163: HTP Segfault
  • Bug #1165: af_packet – one thread consistently not working
  • Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
  • Bug #1176: AF_PACKET IPS mode is broken in 2.0
  • Bug #1177: eve log do not show action ‘dropped’ just ‘allowed’
  • Bug #1180: Possible problem in stream tracking

New in Suricata 2.0.1 RC 1 (May 12, 2014)

  • Notable changes:
  • OpenSSL Heartbleed detection. Thanks to Pierre Chifflier and Will Metcalf
  • Fixed Unix Socket runmode
  • Fixed AF_PACKET IPS support
  • All closed tickets:
  • Feature #1157: Always create pid file if –pidfile command line option is provided
  • Feature #1173: tls: OpenSSL heartbleed detection
  • Bug #978: clean up app layer parser thread local storage
  • Bug #1064: Lack of Thread Deinitialization For Decoder Modules
  • Bug #1101: Segmentation in AppLayerParserGetTxCnt
  • Bug #1136: negated app-layer-protocol FP on multi-TX flows
  • Bug #1141: dns response parsing issue
  • Bug #1142: dns tcp toclient protocol detection
  • Bug #1143: tls protocol detection in case of tls-alert
  • Bug #1144: icmpv6: unknown type events for MLD_* types
  • Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
  • Bug #1146: tls: event on ‘new session ticket’ in handshake
  • Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
  • Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
  • Bug #1161: eve: src and dst mixed up in some cases
  • Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
  • Bug #1163: HTP Segfault
  • Bug #1165: af_packet – one thread consistently not working
  • Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
  • Bug #1176: AF_PACKET IPS mode is broken in 2.0
  • Bug #1177: eve log do not show action ‘dropped’ just ‘allowed’
  • Bug #1180: Possible problem in stream tracking

New in Suricata 2.0 (Mar 25, 2014)

  • Bug #1151: tls.store not working when a TLS filter keyword is used

New in Suricata 2.0 RC 3 (Mar 20, 2014)

  • Fixed:
  • Bug #1127: logstash & suricata parsing issue
  • Bug #1128: Segmentation fault – live rule reload
  • Bug #1129: pfring cluster & ring initialization
  • Bug #1130: af-packet flow balancing problems
  • Bug #1131: eve-log: missing user agent reported inconsistently
  • Bug #1133: eve-log: http depends on regular http log
  • Bug #1135: 2.0rc2 release doesn’t set optimization flag on GCC
  • Bug #1138: alert fastlog drop info missing

New in Suricata 2.0 RC 2 (Mar 7, 2014)

  • Notable changes:
  • eve-log is now enabled by default
  • SSH parser is re-enabled
  • SSH logging was added to ‘eve-log’
  • bundled libhtp was updated to 0.5.10
  • All closed tickets:
  • Feature #952: Add VLAN tag ID to all outputs
  • Feature #953: Add QinQ tag ID to all outputs
  • Feature #1012: Introduce SSH log
  • Feature #1118: app-layer protocols http memcap – info in verbose mode (-v)
  • Feature #1119: restore SSH protocol detection and parser
  • Bug #611: fp: rule with ports matching on portless proto
  • Bug #985: default config generates rule warnings and errors
  • Bug #1021: 1.4.6: conf_filename not checked before use
  • Bug #1089: SMTP: move depends on uninitialised value
  • Bug #1090: FTP: Memory Leak
  • Bug #1091: TLS-Handshake: Uninitialized value
  • Bug #1092: HTTP: Memory Leak
  • Bug #1108: suricata.yaml config parameter – segfault
  • Bug #1109: PF_RING vlan handling
  • Bug #1110: Can have the same Pattern ID (pid) for the same pattern but different case flags
  • Bug #1111: capture stats at exit incorrect
  • Bug #1112: tls-events.rules file missing
  • Bug #1115: nfq: exit stats not working
  • Bug #1120: segv with pfring/afpacket and eve-log enabled
  • Bug #1121: crash in eve-log
  • Bug #1124: ipfw build broken

New in Suricata 2.0 RC 1 (Feb 14, 2014)

  • Bug #839: http events alert multiple times
  • Bug #954: VLAN decoder stats with AF Packet get written to the first thread only - stats.log
  • Bug #980: memory leak in http buffers at shutdown
  • Bug #1066: logger API's for packet based logging and tx based logging
  • Bug #1068: format string issues with size_t + qa not catching them
  • Bug #1072: Segmentation fault in 2.0beta2: Custom HTTP log segmentation fault
  • Bug #1073: radix tree lookups are not thread safe
  • Bug #1075: CUDA 5.5 doesn't compile with 2.0 beta 2
  • Bug #1079: Err loading rules with variables that contain negated content.
  • Bug #1080: segfault - 2.0dev (rev 6e389a1)
  • Bug #1081: 100% CPU utilization with suricata 2.0 beta2+
  • Bug #1082: af-packet vlan handling is broken
  • Bug #1103: stats.log not incrementing decoder.ipv4/6 stats when reading in QinQ packets
  • Bug #1104: vlan tagged fragmentation
  • Bug #1106: Git compile fails on Ubuntu Lucid
  • Bug #1107: flow timeout causes decoders to run on pseudo packets
  • Feature #424: App layer registration cleanup - Support specifying same alproto names in rules for different ip protocols
  • Feature #542: TLS JSON output
  • Feature #597: case insensitive fileext match
  • Feature #772: JSON output for alerts
  • Feature #814: QinQ tag flow support
  • Feature #894: clean up output
  • Feature #921: Override conf parameters
  • Feature #1007: united output
  • Feature #1040: Suricata should compile with -Werror
  • Feature #1067: memcap for http inside suricata
  • Feature #1086: dns memcap
  • Feature #1093: stream: configurable segment pools
  • Feature #1102: Add a decoder.QinQ stats in stats.log
  • Feature #1105: Detect icmpv6 on ipv4

New in Suricata 2.0 Beta 2 (Dec 19, 2013)

  • Some notable improvements are:
  • This release overhauls the protocol detection feature. It now considers both sides of connection, and will raise events on mismatches.
  • DNS parser and logger was much improved.
  • Tilera support was greatly improved.
  • Lots of performance and code quality improvements.
  • New features:
  • Feature #234: add option disable/enable individual app layer protocol inspection modules
  • Feature #417: ip fragmentation time out feature in yaml
  • Feature #478: XFF (X-Forwarded-For) support in Unified2
  • Feature #602: availability for http.log output – identical to apache log format
  • Feature #751: Add invalid packet counter
  • Feature #813: VLAN flow support
  • Feature #901: VLAN defrag support
  • Feature #878: add storage api
  • Feature #944: detect nic offloading
  • Feature #956: Implement IPv6 reject
  • Feature #983: Provide rule support for specifying icmpv4 and icmpv6
  • Feature #1008: Optionally have http_uri buffer start with uri path for use in proxied environments
  • Feature #1009: Yaml file inclusion support
  • Feature #1032: profiling: per keyword stats
  • Improvements and Fixes
  • Bug #463: Suricata not fire on http reply detect if request are not http
  • Feature #986: set htp request and response size limits
  • Bug #895: response: rst packet bug
  • Feature #940: randomize http body chunks sizes
  • Feature #904: store tx id when generating an alert
  • Feature #752: Improve checksum detection algorithm
  • Feature #746: Decoding API modification
  • Optimization #1018: clean up counters api
  • Bug #907: icmp_seq and icmp_id keywords broken with icmpv6 traffic
  • Bug #967: threshold rule clobbers suppress rules
  • Bug #968: unified2 not logging tagged packets
  • Bug #995: tag keyword: tagging sessions per time is broken

New in Suricata 1.4.7 (Dec 16, 2013)

  • Fixes:
  • Bug #996: tag keyword: tagging sessions per time is broken
  • Bug #1000: delayed detect inits thresholds before de_ctx
  • Bug #1001: ip_rep loading problem with multiple values for a single ip
  • Bug #1022: StreamTcpPseudoPacketSetupHeader : port swap logic isn’t consistent
  • Bug #1047: detect-engine.profile – custom value parsing broken
  • Bug #1063: rule ordering with multiple vars

New in Suricata 1.4.6 (Sep 24, 2013)

  • Fixes:
  • Bug 958: malformed SSL records leading to crash. Reported by Sebastian Roschke. CVE-2013-5919.
  • Bug 971: AC pattern matcher out of bounds memory read.
  • Bug 965: improve negated content handling. Reported by Will Metcalf.
  • Bug 937: fix IPv6-in-IPv6 decoding.
  • Bug 934: improve address parsing.
  • Bug 969: fix unified2 not logging tagged packets.

New in Suricata 1.4.5 (Jul 26, 2013)

  • Fixes:
  • Bug #908: ipv6 extension header parsing issue causing Suricata to hang
  • Bug #906: icmp_seq and icmp_id keyword with icmpv6 traffic FP & FN

New in Suricata 2.0 Beta 1 (Jul 19, 2013)

  • New features:
  • Luajit flow vars and flow ints support (#593)
  • DNS parser, logger and keyword support (#792), funded by Emerging Threats
  • deflate support for HTTP response bodies (#470, #775)
  • Improvements:
  • update to libhtp 0.5 (#775)
  • improved gzip support for HTTP response bodies (#470, #775)
  • redesigned transaction handling, improving both accuracy and performance (#753)
  • redesigned CUDA support (#729)
  • Be sure to always apply verdict to NFQ packet (#769)
  • stream engine: SACK allocs should adhere to memcap (#794)
  • stream: deal with multiple different SYN/ACK’s better (#796)
  • stream: Randomize stream chunk size for raw stream inspection (#804)
  • Introduce per stream thread ssn pool (#519)
  • “pass” IP-only rules should bypass detection engine after matching (#718)
  • Generate error if bpf is used in IPS mode (#777)
  • Add support for batch verdicts in NFQ, thanks to Florian Westphal
  • Update Doxygen config, thanks to Phil Schroeder
  • Improve libnss detection, thanks to Christian Kreibich
  • Fixes:
  • Fix a FP on rules looking for port 0 and fragments (#847), thanks to Rmkml
  • OS X unix socket build fixed (#830)
  • bytetest, bytejump and byteextract negative offset failure (#827)
  • Fix fast.log formatting issues (#771), thanks to Rmkml
  • Invalidate negative depth (#774), thanks to Rmkml
  • Fixed accuracy issues with relative pcre matching (#791)
  • Fix deadlock in flowvar capture code (#802)
  • Improved accuracy of file_data keyword (#817)
  • Fix af-packet ips mode rule processing bug (#819), thanks to Laszlo Madarassy
  • stream: fix injecting pseudo packet too soon leading to FP (#883), thanks to Francis Trudeau

New in Suricata 1.4.4 (Jul 18, 2013)

  • Bug #834: Unix socket - showing as compiled when it is not desired to do so
  • Bug #835: Unix Socket not working as expected
  • Bug #841: configure --enable-unix-socket does not err out if libs/pkgs are not present
  • Bug #846: FP on IP frag and sig use udp port 0, thanks to Rmkml
  • Bug #864: backport packet action macro's
  • Bug #876: htp tunnel fix
  • Bug #877: Flowbit check with content doesn't match consistently, thanks to Francis Trudeau

New in Suricata 1.4.3 (Jun 21, 2013)

  • Fixes:
  • Fix missed detection in bytetest, bytejump and byteextract for negative offset (#828)
  • Fix IPS mode being unable to drop tunneled packets (#826)
  • Fix OS X Unix Socket build (#829)

New in Suricata 1.4.2 (Jun 21, 2013)

  • Improvements:
  • No longer force "nocase" to be used on http_host
  • Invalidate rule if uppercase content is used for http_host w/o nocase
  • Warn user if bpf is used in af-packet IPS mode
  • Better test for available libjansson version
  • Fixes:
  • Fixed accuracy issues with relative pcre matching (#784)
  • Improved accuracy of file_data keyword (#788)
  • Invalidate negative depth (#770)
  • Fix http host parsing for IPv6 addresses (#761)
  • Fix fast.log formatting issues (#773)
  • Fixed deadlock in flowvar set code for http buffers (#801)
  • Various signature ordering improvements
  • Minor stream engine fix

New in Suricata 1.4.1 (Mar 8, 2013)

  • New features:
  • GeoIP keyword, allowing matching on Maxmind’s database, contributed by Ignacio Sanchez (#559)
  • Introduce http_host and http_raw_host keywords (#733, #743)
  • Add python module for interacting with unix socket (#767)
  • Add new unix socket commands: fetching config, counters, basic runtime info (#764, #765)
  • Improvements:
  • Big Napatech support update by Matt Keeler
  • Configurable sensor id in unified2 output, contributed by Jake Gionet (#667)
  • FreeBSD IPFW fixes by Nikolay Denev
  • Add “default” interface setting to capture configuration in yaml (#679)
  • Make sure “snaplen” can be set by the user (#680)
  • Improve HTTP URI query string normalization (#739)
  • Improved error reporting in MD5 loading (#693)
  • Improve reference.config parser error reporting (#737)
  • Improve build info output to include all configure options (#738)
  • Fixes:
  • Segfault in TLS parsing reported by Charles Smutz (#725)
  • Fix crash in teredo decoding, reported by Rmkml (#736)
  • fixed UDPv4 packets without checksum being detected as invalid (#760)
  • fixed DCE/SMB parsers getting confused in some fragmented cases (#764)
  • parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#697)
  • FN: IP-only rule ip_proto not matching for some protocols (#689)
  • Fix build failure with other libhtp installs (#688)
  • Fix malformed yaml loading leading to a crash (#694)
  • Various Mac OS X fixes (#700, #701, #703)
  • Fix for autotools on Mac OS X by Jason Ish (#704)
  • Fix AF_PACKET under high load not updating stats (#706)

New in Suricata 1.4 (Dec 14, 2012)

  • New features:
  • Unix socket mode for batched processing of series of pcap (#571, #552) (experimental)
  • Interaction with Suricata via uix socket (#571, #552) (experimental)
  • IP Reputation: loading and matching (#647) (experimental)
  • New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346) (experimental)
  • Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
  • Support for pkt_data keyword was added (#423)
  • Improved --list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)
  • User and group to run as can now be set in the config file
  • Add stream event to match on overlaps with different data in stream reassembly (#603)
  • Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
  • Rules can be set to inspect only IPv4 or IPv6 (#494)
  • Added ability to control per server HTTP parser settings in much more detail (#503)
  • Make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
  • Filesize keyword for matching on sizes of files in HTTP (#489)
  • Custom HTTP logging contributed by Ignacio Sanchez (#530)
  • TLS certificate logging and fingerprint computation and keyword by Jean-Paul Roliers (#443)
  • TLS certificate store to disk feature Jean-Paul Roliers (#444)
  • AF_PACKET IPS support (#516)
  • NFQ fail open support (#507)
  • PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
  • Support for Napatech cards through their 3rd generation driver was added by Matt Keeler from Npulse (#430, #619)
  • Endace support improved
  • New runmode for users of pcap wrappers (Myricom, PF_RING, others)
  • Improvements:
  • Add contrib directory to the dist (#567)
  • Performance improvements to signatures with dsize option
  • Improved rule analyzer: print fast_pattern along with the rule (#558)
  • Fixes to stream engine reducing the number of events generated (#604)
  • Stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592)
  • HTTP handling in OOM condition was greatly improved (#557)
  • Filemagic keyword performance was improved (#585)
  • Updated bundled libhtp to 0.2.11
  • Build system improvements and cleanups
  • Live reloads now supports HTTP rule updates better (#522)
  • AF_PACKET performance improvements (#197, #415)
  • Make defrag more configurable (#517, #528)
  • Improve pool performance (#518)
  • Improve file inspection keywords by adding a separate API (#531)
  • Example threshold.config file provided (#302)
  • Changes since 1.4rc1:
  • Decoder event matching fixed (#672)
  • Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#665)
  • Add more events to IPv6 extension header anomolies (#678)
  • Fix ICMPv6 payload and checksum calculation (#677, #674)
  • Clean up flow timeout handling (#656)
  • Fix a shutdown bug when using AF_PACKET under high load (#653)
  • Fix TCP sessions being cleaned up to early (#652)

New in Suricata 1.3.5 (Dec 7, 2012)

  • Fixes:
  • Flow engine memory leak fixed by Ludovico Cavedon (#651)
  • Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#664)
  • Flow manager mutex used unintialized, fixed by Ludovico Cavedon (#654)
  • Windows building in CYGWIN fixed (#630)

New in Suricata 1.4 RC1 (Nov 29, 2012)

  • New features:
  • Interactive unix socket mode (#571, #552)
  • IP Reputation: loading and matching (#647)
  • Improved --list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)
  • Improvements:
  • Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494)
  • User-Agent added to file log and filestore meta files (#629)
  • Endace DAG supports live stats and at exit drop stats (#638)
  • Add support for libhtp event "request port doesn't match tcp port" (#650)
  • Fixes:
  • Rules with negated addresses will not be considered IP-only (#599)
  • Rule reloads complete much faster in low traffic conditions (#526)
  • Suricata -h now displays all available options (#419)
  • Luajit configure time detection was improved (#636)
  • Flow manager mutex used w/o initialization (#628)
  • Cygwin work around for windows shell mangling interface string (#372)
  • Fix a Prelude output crash with alerts generated by rules w/o classtype or msg (#648)
  • CLANG compiler build fixes (#649)
  • Several fixes found by code analyzers

New in Suricata 1.4 Beta 3 (Nov 15, 2012)

  • New features:
  • support for Napatech cards through their 3rd generation driver was added by Matt Keeler from Npulse (#430, #619)
  • support for pkt_data keyword was added
  • user and group to run as can now be set in the config file
  • make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
  • PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
  • add stream event to match on overlaps with different data in stream reassembly (#603)
  • Improvements:
  • add contrib directory to the dist (#567)
  • performance improvements to signatures with dsize option
  • improved rule analyzer: print fast_pattern along with the rule (#558)
  • fixes to stream engine reducing the number of events generated (#604)
  • stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592)
  • HTTP handling in OOM condition was greatly improved (#557)
  • filemagic keyword performance was improved (#585)
  • updated bundled libhtp to 0.2.11
  • build system improvements and cleanups
  • Fixes:
  • fixes and improvements to daemon mode (#624)
  • fix drop rules not working correctly when thresholded (#613)
  • fixed a possible FP when a regular and "chopped" fast_pattern were the same (#581)
  • fix a false possitive condition in http_header (#607)
  • fix inaccuracy in byte_jump keyword when using "from_beginning" option (#627)
  • fixes to rule profiling (#576)
  • cleanups and misc fixes (#379, #395)
  • fix to SSL record parsing

New in Suricata 1.3.4 (Nov 15, 2012)

  • Fixes:
  • fix crash in flow and host engines in cases of low memory or low memcap settings (#617)
  • improve http handling in low memory conditions (#620)
  • fix inaccuracy in byte_jump keyword when using "from_beginning" option (#626)
  • fix building on OpenBSD 5.2
  • update default config's defrag settings to reflect all available options
  • fixes to make check
  • fix to SSL record parsing

New in Suricata 1.3.3 (Nov 2, 2012)

  • Fixes:
  • fix drop rules not working correctly when thresholded (#615)
  • fix a false positive condition in http_header (#606)
  • fix extracted file corruption (#601)
  • fix a false positive condition with the pcre keyword and relative matching (#588)
  • fix PF_RING set cluster problem on dma interfaces (#598)
  • improve http handling in low memory conditions (#586, #587)
  • fix FreeBSD inline mode crash (#612)
  • suppress pcre jit warning (#579)

New in Suricata 1.4 Beta 2 (Oct 5, 2012)

  • New features:
  • New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346)
  • Added ability to control per server HTTP parser settings in much more detail (#503)
  • Improvements:
  • Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540)
  • Big performance improvement in inspecting decoder, stream and app layer events (#555)
  • Pool performance improvements (#541)
  • Improved performance of signatures with simple pattern setups (#577)
  • Bundled docs are installed upon make install (#527)
  • Support for a number of global vs rule thresholds was added (#425)
  • Improved rule profiling performance
  • If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded.
  • Fixes:
  • Fix compilation on architectures other than x86 and x86_64 (#572)
  • Fix FP with anchored pcre combined with relative matching (#529)
  • Fix engine hanging instead of exitting if the pcap device doesn't exist (#533)
  • Work around for potential FP, will get properly fixed in next release (#574)
  • Improve ERF handling. Thanks to Jason Ish
  • Always set cluster_id in PF_RING
  • IPFW: fix broken broadcast handling
  • AF_PACKET kernel offset issue, IPS fix and cleanup
  • Fix stream engine sometimes resending the same data to app layer
  • Fix multiple issues in HTTP multipart parsing
  • Fixed a lockup at shutdown with NFQ (#537)

New in Suricata 1.3.2 (Oct 4, 2012)

  • Fixed a possible FP when a regular and "chopped" fast_pattern were the same (#562)
  • Fixed a FN condition with the flow:no_stream option (#575)
  • Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
  • Fix multiple issues in HTTP multipart parsing
  • Fix stream engine sometimes resending the same data to app layer
  • Always set cluster_id in PF_RING
  • Defrag: silence some potentially noisy errors/warnings
  • IPFW: fix broken broadcast handling
  • AF_PACKET kernel offset issue

New in Suricata 1.4 Beta 1 (Sep 7, 2012)

  • Custom HTTP logging contributed by Ignacio Sanchez (#530)
  • TLS certificate logging and fingerprint computation and keyword (#443)
  • TLS certificate store to disk feature (#444)
  • Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
  • AF_PACKET IPS support (#516)
  • Rules can be set to inspect only IPv4 or IPv6 (#494)
  • filesize keyword for matching on sizes of files in HTTP (#489)
  • Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
  • NFQ fail open support (#507)
  • Highly experimental lua scripting support for detection
  • Live reloads now supports HTTP rule updates better (#522)
  • AF_PACKET performance improvements (#197, #415)
  • Make defrag more configurable (#517, #528)
  • Improve pool performance (#518)
  • Improve file inspection keywords by adding a separate API (#531)
  • Example threshold.config file provided (#302)
  • Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
  • Various spelling corrections by Simon Moon (#533)

New in Suricata 1.3.1 (Aug 30, 2012)

  • AF_PACKET performance improvements
  • Defrag engine performance improvements
  • HTTP: add per server options to enable/disable double decoding of URI (#464, #504)
  • Stream engine packet handling for packets with non-standard flag combinations (#508)
  • Improved stream engine handling of packet loss (#523)
  • Stream engine checksum alerting fixed
  • Various rule analyzer fixes (#495, #496, #497)
  • (Rule) profiling fixed and improved (#460, #466)
  • Enforce limit on max-pending-packets (#510)
  • fast_pattern on negated content improved
  • TLS rule keyword parsing issues
  • Windows build fixes (#502)
  • Host OS parsing issues fixed (#499)
  • Reject signatures where content length is bigger than "depth" setting (#505)
  • Removed unused "prune-flows" option

New in Suricata 1.3 (Jul 7, 2012)

  • make live rule reloads optional and disabled by default
  • fix a shutdown bug
  • fix several memory leaks (#492)
  • warn user if global and rule thresholding conflict (#455)
  • set thread names on FreeBSD (Nikolay Denev)
  • Fix PF_RING building on Ubuntu 12.04
  • rule analyzer updates
  • file inspection improvements when dealing with limits (#493)

New in Suricata 1.3 RC 1 (Jun 30, 2012)

  • experimental live rule reload by sending a USR2 signal (#279)
  • AF_PACKET BPF support (#449)
  • AF_PACKET live packet loss counters (#441)
  • Rule analyzer (#349)
  • add pcap workers runmode for use with libpcap wrappers that support load balancing, such as Napatech's or Myricom's
  • negated filemd5 matching, allowing for md5 whitelisting
  • signatures with depth and/or offset are now checked against packets in addition to the stream (#404)
  • http_cookie keyword now also inspects "Set-Cookie" header (#479)
  • filemd5 keyword no longer depends on log-file output module (#447)
  • http_raw_header keyword inspects original header line terminators (#475)
  • deal with double encoded URI (#464)
  • improved SMB/SMB2/DCERPC robustness
  • ICMPv6 parsing fixes
  • improve HTTP body inspection
  • stream.inline accuracy issues fixed (#339)
  • general stability fixes (#482, #486)
  • missing unittests added (#471)
  • "threshold.conf not found" error made more clear (#446)
  • IPS mode segment logging for Unified2 improved

New in Suricata 1.3 Beta 2 (Jun 9, 2012)

  • experimental support for matching on large lists of known file MD5 checksums
  • Improved performance for file_data, http_server_body and http_client_body keywords
  • Improvements to HTTP handling: multipart parsing, gzip decompression
  • Byte_extract can support negative offsets now (#445)
  • Support for PF_RING 5.4 added. Many thanks to Chris Wakelin (#459)
  • HOME_NET and EXTERNAL_NET and the other vars are now checked for common errors (#454)
  • Improved error reporting when using too long address strings (#451)
  • MD5 calculation improvements for daemon mode and other cases (#449)
  • File inspection scripts: Added Syslog action for logging to local syslog. Thanks to Martin Holste.
  • Rule parser is made more strict.
  • Unified2 output overhaul, logging individual segments in more cases.
  • detection_filter keyword accuracy problem was fixed (#453)
  • Don't inspect cookie header with http header (#461)
  • Crash with a rule with two byte_extract keywords (#456)
  • SSL parser fixes. Thanks to Chris Wakelin for testing the patches! (#476)
  • Accuracy issues in HTTP inspection fixed. Thanks to Rmkml (#452)
  • Improve escaping of some characters in logs (#418)
  • Checksum calculation bugs fixed
  • IPv6 parsing issues fixed. Thanks to Michel Saborde.
  • Endace DAG issues fixed. Thanks to Jason Ish from Endace.
  • Various OpenBSD related fixes.
  • Fixes for bugs found by Coverity source code analyzer.

New in Suricata 1.3 Beta 1 (Apr 5, 2012)

  • TLS/SSL handshake parser, tls.subjectdn and tls.issuerdn keywords (#296, contributed by Pierre Chifflier)
  • Napatech capture card support (contributed by Randy Caldejon -nPulse)
  • Scripts for looking up files / file md5's at Virus Total and others (contributed by Martin Holste)
  • Test mode: -T option to test the config (#271)
  • Ringbuffer and zero copy support for AF_PACKET
  • Commandline options to list supported app layer protocols and keywords (#344, #414)
  • File extraction for HTTP POST request that do not use multipart bodies
  • On the fly md5 checksum calculation of extracted files
  • Line based file log, in json format
  • Basic support for including other yaml files into the main yaml
  • New multi pattern engine: ac-bs
  • Profiling improvements, added lock profiling code
  • Improved HTTP CONNECT support in libhtp (#427, Brian Rectanus -Qualys)
  • Unified yaml naming convention, including fallback support (by Nikolay Denev)
  • Improved Endace DAG support (#431, Jason Ish -Endace)
  • New default runmode: "autofp" (#433)
  • Major rewrite of flow engine, improving scalability.
  • Improved http_stat_msg and http_stat_code keywords (#394)
  • Improved scalability for Tag and Threshold subsystems
  • Made the rule keyword parser much stricter in detecting syntax errors
  • Split "file" output into "file-store" and "file-log" outputs
  • Much improved file extraction
  • CUDA build fixes (#421)
  • Various FP's reported by Rmkml (#403, #405, #411)
  • IPv6 decoding and detection issues (reported by Michel Sarborde)
  • PCAP logging crash (#422)
  • Fixed many (potential) issues with the help of the Coverity source code analyzer
  • Fixed several (potential) issues with the help of the cppcheck and clang/scan-build source code analyzers

New in Suricata 1.2.1 (Jan 23, 2012)

  • fix malformed unified2 records when writing alerts trigger by stream inspection (#402)
  • only force a pseudo packet inspection cycle for TCP streams in a state >= established

New in Suricata 1.2 (Jan 20, 2012)

  • improved Windows/CYGWIN path handling (#387)
  • fixed some issues with passing an interface or ip address with -i
  • make live worker runmode threads adhere to the 'detect' cpu affinity settings

New in Suricata 1.2 RC 1 (Jan 12, 2012)

  • app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events
  • auto detection of checksum offloading per interface (#311)
  • urilen options to match on raw or normalized URI (#341)
  • flow keyword option "only_stream" and "no_stream"
  • unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250)
  • in IPS mode, reject rules now also drop (#399)
  • http_header now also inspects response headers (#389)
  • "worker" runmodes for NFQ and IPFW
  • performance improvement for "ac" pattern matcher
  • allow empty/non-initialized flowints to be incremented
  • PCRE-JIT is now enabled by default if available (#356)
  • many file inspection and extraction improvements
  • flowbits and flowints are now modified in a post-match action list
  • general performance increasements
  • fixed parsing really high sid numbers >2 Billion (#393)
  • fixed ICMPv6 not matching in IP-only sigs (#363)

New in Suricata 1.2 Beta 1 (Dec 20, 2011)

  • File name, type inspection and extraction for HTTP
  • filename, fileext, filemagic and filestore keywords added
  • "file" output for storing extracted files to disk
  • file_data keyword support, inspecting normalized, dechunked, decompressed HTTP response body (feature #241
  • new keyword http_server_body, pcre regex /S option
  • Option to enable/disable core dumping from the suricata.yaml (enabled by default)
  • Human readable size limit settings in suricata.yaml
  • PF_RING bpf support (required PF_RING >= 5.1) (feature #334)
  • tos keyword support (feature #364)
  • IPFW IPS mode does now support multiple divert sockets
  • New IPS running modes, Linux and FreeBSD do now support "worker" and "autofp"
  • Improved alert accuracy in autofp and single runmodes
  • major performance optimizations for the ac-gfbs pattern matcher implementation
  • unified2 output fixes
  • PF_RING supports privilege dropping now (bug #367)
  • Improved detection of duplicate signatures

New in Suricata 1.1.1 (Dec 8, 2011)

  • Fix for a error in the smtp parser that could crash Suricata.
  • Fix for AF_PACKET not compiling on modern linux systems like Fedora 16.

New in Suricata 1.1 (Nov 12, 2011)

  • CUDA build fixed
  • minor pcap, AF_PACKET and PF_RING fixes (#368)
  • bpf handling fix
  • Windows CYGWIN build
  • more cleanups

New in Suricata 1.1 RC 1 (Nov 5, 2011)

  • New features:
  • extended HTTP request logging for use with (among other things) http_agent for Sguil (#38)
  • AF_PACKET report drop stats on shutdown (#325)
  • new counters in stats.log for flow and stream engines (#348)
  • Improvements:
  • SMTP parsing code support for BDAT command (#347)
  • HTTP URI normalization no longer converts to lowercase (#362)
  • AF_PACKET works with privileges dropping now (#361)
  • Prelude output for state matches (#264, #355)
  • Under the hood:
  • update of the pattern matching code that should improve accuracy
  • rule parser was made more strict (#295, #312)
  • Notable Fixes & Changes:
  • multiple event suppressions for the same SID was fixed (#366)
  • several accuracy fixes
  • removal of the unified1 output plugins (#353)

New in Suricata 1.0.5 (Jul 26, 2011)

  • Fix stream reassembly bug #300. Thanks to Rmkml for the report.
  • Fix several (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.

New in Suricata 1.0.4 (Jun 25, 2011)

  • LibHTP updated to 0.2.6
  • Large number of (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.
  • Large number of (potential) issues fixed after source code scans with the Clang static analizer.

New in Suricata 1.1 Beta 2 (Apr 13, 2011)

  • New features
  • New keyword support: http_raw_uri (including /I for pcre), ssl_state, ssl_version (#258, #259, #260, #262).
  • Inline mode for the stream engine (#230, #248).
  • New keyword support: nfq_set_mark
  • Included an example decoder-events.rules file
  • api for adding and selecting runmodes was added
  • pcap logging / recording output was added
  • basic SCTP protocol parsing was added
  • more fine grained CPU affinity setting support was added
  • Improvements
  • stream engine inspects stream in larger chunks
  • fast_pattern support for http_method content modifier (#255)
  • negation support for isdataat keyword (#257)
  • configurable interval for stats.log updates (#247)
  • new pf_ring runmode was added that scales better
  • pcap live mode now handles the monitor interface going up and down
  • several QA additions to "make check"
  • NFQ (linux inline) mode was improved
  • Fixes
  • Alerts classification fix (#275)
  • compiles and runs on big-endian systems (#63)
  • unified2 output works around barnyard2 issues with DLT_RAW + IPv6

New in Suricata 0.9.1 (May 27, 2010)

  • New features:
  • support for the asn1 keyword added
  • support for reading of ERF files added
  • basic rule profiling functionality added
  • ssl2/ssl3 app layer support added
  • detection engine was made partly stateful
  • Improvements:
  • multiple regressions in the detection engine causing false negatives were fixed
  • many accuracy and stability improvements were made
  • icmp handling in the flow engine was improved