What's new in Suricata 6.0.5
Jul 8, 2022
- Notable Changes:
- LibHTP has been updated to 0.5.40. This is a required version that is bundled with both releases.
- Suricata-Update, as bundled with 6.0.5, was updated to 1.2.4.
- Various security, performance, accuracy and stability issues have been fixed.
New in Suricata 6.0.4 (Apr 21, 2022)
- Various security, performance, accuracy and stability issues have been fixed.
New in Suricata 6.0.3 (Nov 16, 2021)
- Security #4420: Heap-use-after-free READ 8 · JsonDNP3LoggerToClient
- Security #4455: Buffer overread in SMTP SMTPParseCommandBDAT
- Security #4458: Rust panic in suricata::dcerpc::detect::handle_input_data (buffer overread)
- Security #4483: heap-buffer-overflow WRITE in InspectionBufferSetup with use of InspectionBufferGetMulti
- Security #4512: Evasion possibility on wrong/unexpected ACK value in crafted SYN packets
- Feature #4489: decode: add VNTAG decoder (6.0.x)
- Feature #4501: http2: body compression handling (6.0.x)
- Bug #4405: 6.0.x: eve/mqtt: mqtt logging crashes when eve is multithreaded
- Bug #4411: eve.drop: alerts option logs lowest priority alert
- Bug #4413: segv in ApplyToU8Hash
- Bug #4415: threshold: slow startup on threshold.config with many addresses in suppression
- Bug #4416: apparent 1000 character limit in threshold.conf IP lists
- Bug #4417: Panic in Rust HTTP2 dynamic headers table eviction
- Bug #4419: detect: "drop" on protocol detect only rule doesn't drop flow
- Bug #4423: Applayer Mismatch protocol both directions for kerberos AS-REQ/KDC_ERR_PREAUTH_REQUIRED exchange
- Bug #4441: 6.0.x: dns: high resource usage on long lived dns connections
- Bug #4443: 6.0.x: build: Build failure on FreeBSD
- Bug #4450: Properly set the ICMP emergency-bypassed value
- Bug #4452: ipv6 & ftp & passive mode & error
- Bug #4453: Null-dereference in HTTP2MimicHttp1Request in midstream
- Bug #4459: threaded eve: files not closed on deinitialization
- Bug #4461: ftp: Memory leak with duplicate FTP expectation
- Bug #4463: Incorrect AppLayerResult::incomplete for RDP
- Bug #4465: ftp: "g_expectation_data_id" and "g_expectation_id" in AppLayerExpectationHandle function
- Bug #4470: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode
- Bug #4471: Duplicate alert record in eve log when using unix-socket mode
- Bug #4484: Infinite loops in when using InspectionBufferMultipleForList
- Bug #4487: Timeout in ftp parsing rs_ftp_active_eprt
- Bug #4510: Incorrect flags in Rust
- Bug #4518: Buffer overflow in "by_rule" threshold context
- Bug #4531: segv with --set cmdline option if incorrect key is provided
- Bug #4535: Timeout in ikev2 parsing
- Bug #4538: modbus: Memory leak in signature parsing with pcre
- Bug #4545: SWF decompression overread
New in Suricata 6.0.1 (Dec 14, 2020)
- http2: support file inspection API #4121
- fixed:
- Bug #1275: ET Rule 2003927 not matchin in suricata Actions
- Bug #3467: Alert metadata not present in EVE output when using Socket Control Pcap Processing Mode Actions
- Bug #3616: strip_whitespace causes FN Actions
- Bug #3726: Segmentation fault on rule reload when using libmagic Actions
- Bug #3856: dcerpc: last response packet not logged Actions
- Bug #3924: asan leak htp_connp_create Actions
- Bug #3925: dcerpc: crash in eve logging Actions
- Bug #3930: Out of memory from THashInitConfig called by DetectDatasetSetup Actions
- Bug #3994: SIGABRT TCPProtoDetectCheckBailConditions Actions
- Bug #4018: Napatech: Double release of packet possible in certain error cases. Actions
- Bug #4069: dcerpc: fix UDP transaction handling, free_tx, etc Actions
- Bug #4071: Null dereference in ipv4hdr GetData Actions
- Bug #4072: ssl: Integer underflow in SSL parser Actions
- Bug #4073: Protocol detection evasion by packet splitting on enip/SMB Actions
- Bug #4074: Timeout while loading many rules with keyword ssl_version Actions
- Bug #4076: http2: Memory leak when parsing signature with filestore Actions
- Bug #4085: Assertion from AdjustToAcked Actions
- Bug #4086: dns: memory leak in v1 dns eve logging Actions
- Bug #4090: icmpv4: header handling issue(s) Actions
- Bug #4091: byte_math: Offset is a signed value Actions
- Bug #4094: AddressSanitizer: dynamic-stack-buffer-overflow (util-crypt) Actions
- Bug #4100: ftp: Quadratic complexity in FTPGetOldestTx may lead to DOS Actions
- Bug #4109: mac address logging crash Actions
- Bug #4110: http: LibHTP wrong protocol with content duplication Actions
- Bug #4111: dnp3: DOS in long loop of zero sized objects Actions
- Bug #4120: http2: null ptr deref in http2 alert metadata Actions
- Bug #4124: dcerpc: UDP request response pair match is incorrect Actions
- Bug #4155: dnp3: memory leak when parsing objects with bytearrays Actions
- Bug #4156: dnp3: signed integer overflow Actions
- Bug #4158: PacketCopyData sets packet length even on failure Actions
- Bug #4173: dnp3: SV tests fail on big endian Actions
- Bug #4177: Rustc nightly warning getting the inner pointer of a temporary `CString` Actions
- Feature #2689: http: Normalized HTTP client body buffer Actions
- Feature #4121: http2: support file inspection API Actions
- Optimization #4114: Optmize Rust logging macros: SCLogInfo, SCLogDebug and friends Actions
- Task #4137: deprecate: eve.dns v1 record support Actions
- Task #4180: libhtp 0.5.36
New in Suricata 6.0.0 Beta 1 (Aug 25, 2020)
- Major changes:
- initial HTTP/2 support
- DCERPC logging
- much improved EVE logging performance
- RFB and MQTT protocol support, including detection and logging
- HASSH support
- conditional logging
New in Suricata 5.0.3 (May 12, 2020)
- Feature #3481: GRE ERSPAN Type 1 Support
- Feature #3613: Teredo port configuration
- Feature #3673: datasets: add ‘dataset-remove’ unix command
- Bug #3240: Dataset hash-size or prealloc invalid value logging
- Bug #3241: Dataset reputation invalid value logging
- Bug #3342: Suricata 5.0 crashes while parsing SMB data
- Bug #3450: signature with sticky buffer with subsequent pcre check in a different buffer loads but will never match
- Bug #3491: Backport 5 BUG_ON(strcasecmp(str, “any”) in DetectAddressParseString
- Bug #3507: rule parsing: memory leaks
- Bug #3526: 5.0.x Kerberos vulnerable to TCP splitting evasion
- Bug #3534: Skip over ERF_TYPE_META records
- Bug #3552: file logging: complete files sometimes marked ‘TRUNCATED’
- Bug #3571: rust: smb compile warnings
- Bug #3573: TCP Fast Open – Bypass of stateless alerts
- Bug #3574: Behavior for tcp fastopen
- Bug #3576: Segfault when facing malformed SNMP rules
- Bug #3577: SIP: Input not parsed when header values contain trailing spaces
- Bug #3580: Faulty signature with two threshold keywords does not generate an error and never match
- Bug #3582: random failures on sip and http-evader suricata-verify tests
- Bug #3585: htp: asan issue
- Bug #3592: Segfault on SMTP TLS
- Bug #3598: rules: memory leaks in pktvar keyword
- Bug #3600: rules: bad address block leads to stack exhaustion
- Bug #3602: rules: crash on ‘internal’-only keywords
- Bug #3604: rules: missing ‘consumption’ of transforms before pkt_data would lead to crash
- Bug #3606: rules: minor memory leak involving pcre_get_substring
- Bug #3609: ssl/tls: ASAN issue in SSLv3ParseHandshakeType
- Bug #3610: defrag: asan issue
- Bug #3612: rules/bsize: memory issue during parsing
- Bug #3614: build-info and configure wrongly display libnss status
- Bug #3644: Invalid memory read on malformed rule with Lua script
- Bug #3646: rules: memory leaks on failed rules
- Bug #3649: CIDR Parsing Issue
- Bug #3651: FTP response buffering against TCP stream
- Bug #3653: Recursion stack-overflow in parsing YAML configuration
- Bug #3660: Multiple DetectEngineReload and bad insertion into linked list lead to buffer overflow
- Bug #3665: FTP: Incorrect ftp_memuse calculation.
- Bug #3667: Signature with an IP range creates one IPOnlyCIDRItem by signe IP address
- Bug #3669: Rules reload with Napatech can hang Suricata UNIX manager process
- Bug #3672: coverity: data directory handling issues
- Bug #3674: Protocol detection evasion by packet splitting
- Optimization #3406: filestore rules are loaded without warning when filestore is not enabled
- Task #3478: libhtp 0.5.33
- Task #3514: SMTP should place restraints on variable length items (e.g., filenames)
- Documentation #3543: doc: add ipv4.hdr and ipv6.hdr
- Bundled libhtp 0.5.33
- Bundled Suricata-Update 1.1.2
New in Suricata 5.0 (Dec 19, 2019)
- The ET 5.0 ruleset use a different classification scheme. Suricata 5.0 will issue warnings if rules use an unknown classtype. Update your classification.config from the one Suricata 5.0 ships or the ET ruleset version to suppress these warnings.
- If JA3 is enabled in the Suricata configuration (or not specified), the ET5 JA3 rules will be enabled by Suricata-Update. These rules have been quite noisy in the past. If they are alerting too frequently, the rules can be disabled in Suricata-Update.
New in Suricata 4.1.4.1 (May 30, 2019)
- Changes:
- Bug #2870: pcap logging with lz4 coverity warning
- Bug #2883: ssh: heap buffer overflow
- Bug #2884: mpls: heapbuffer overflow in file decode-mpls.c
- Bug #2887: decode-ethernet: heapbuffer overflow in file decode-ethernet.c
- Bug #2888: 4.1.3 core in HCBDCreateSpace
- Bug #2894: smb 1 create andx request does not parse the filename correctly
- Bug #2902: rust/dhcp: panic in dhcp parser
- Bug #2903: mpls: cast of misaligned data leads to undefined behavior
- Bug #2904: rust/ftp: panic in ftp parser
- Bug #2943: rust/nfs: integer underflow
- This release includes Suricata-Update 1.0.5
New in Suricata 4.0.4.1 (Mar 22, 2018)
- Security:
- CVE-2018-6794 was requested for issue #2440
- Changes:
- Bug #2306: suricata 4 deadlocks during failed output log reopening
- Bug #2361: rule reload hangup
- Bug #2389: BUG_ON asserts in AppLayerIncFlowCounter (4.0.x)
- Bug #2392: libhtp 0.5.26 (4.0.x)
- Bug #2422: [4.0.3] af_packet: a leak that (possibly) breaks an inline channel
- Bug #2438: various config parsing issues
- Bug #2439: Fix timestamp offline when pcap timestamp is zero (4.0.x)
- Bug #2440: stream engine bypass issue (4.0.x)
- Bug #2441: der parser: bad input consumes cpu and memory (4.0.x)
- Bug #2443: DNP3 memcpy buffer overflow (4.0.x)
- Bug #2444: rust/dns: Core Dump with malformed traffic (4.0.x)
- Bug #2445: http bodies / file_data: thread space creation writing out of bounds
New in Suricata 3.2.1 (Feb 15, 2017)
- Changes you can expect from this new release include:
- Feature #1830: support ‘tag’ in eve log
- Feature #1870: make logged flow_id more unique
- Feature #1874: support Cisco Fabric Path / DCE
- Feature #1885: eve: add option to log all dropped packets
- Feature #1886: dns: output filtering
- Bug #1849: ICMPv6 incorrect checksum alert if Ethernet FCS is present
- Bug #1853: fix dce_stub_data buffer
- Bug #1854: unified2: logging of tagged packets not working
- Bug #1856: PCAP mode device not found
- Bug #1858: Lots of TCP ‘duplicated option/DNS malformed request data’
- after upgrading from 3.0.1 to 3.1.1
- Bug #1878: dns: crash while logging sshfp records
- Bug #1880: icmpv4 error packets can lead to missed detection in tcp/udp
- Bug #1884: libhtp 0.5.22
New in Suricata 3.2 (Jan 31, 2017)
- Feature #1830: support ‘tag’ in eve log
- Feature #1870: make logged flow_id more unique
- Feature #1874: support Cisco Fabric Path / DCE
- Feature #1885: eve: add option to log all dropped packets
- Feature #1886: dns: output filtering
- Bug #1849: ICMPv6 incorrect checksum alert if Ethernet FCS is present
- Bug #1853: fix dce_stub_data buffer
- Bug #1854: unified2: logging of tagged packets not working
- Bug #1856: PCAP mode device not found
- Bug #1858: Lots of TCP ‘duplicated option/DNS malformed request data’
- after upgrading from 3.0.1 to 3.1.1
- Bug #1878: dns: crash while logging sshfp records
- Bug #1880: icmpv4 error packets can lead to missed detection in tcp/udp
- Bug #1884: libhtp 0.5.22
New in Suricata 3.1 (Jul 1, 2016)
- Bug #1589: Cannot run nfq in workers mode
- Bug #1804: yaml: legacy detect-engine parsing custom values broken
New in Suricata 3.0.1 (Apr 5, 2016)
- fixes for multiple stability issues
- many memory leak fixes
- Hyperscan MPM support (experimental)
New in Suricata 2.0.8 (May 9, 2015)
- Changes:
- Bug #1450: tls parsing issue
- Bug #1460: pcap parsing issue
- Bug #1461: potential deadlock
- Bug #1404: Alert-Debuglog not being rotated on SIGHUP
- Bug #1420: inverted matching on incomplete session
- Bug #1462: various issues in rule and yaml parsing
- Security:
- The TLS/DER parsing issue has CVE-2015-0971 assigned to it.
New in Suricata 2.0.7 (Mar 5, 2015)
- Changes:
- Bug #1385: DCERPC traffic parsing issue
- Bug #1391: http uri parsing issue
- Bug #1383: tcp midstream window issue
- Bug #1318: A thread-sync issue in streamTCP
- Bug #1375: Regressions in list keywords option
- Bug #1387: pcap-file hangs on systems w/o atomics support
- Bug #1395: dump-counters unix socket command failure
- Optimization #1376: file list is not cleaned up
- Security:
- The DCERPC parsing issue has CVE-2015-0928 assigned to it.
New in Suricata 2.0.6 (Jan 21, 2015)
- Changes:
- Bug #1364: evasion issues
- Bug #1337: output-json: duplicate logging
- Bug #1325: tls detection leads to tcp stream reassembly sequence gaps (IPS)
- Bug #1192: Suricata does not compile on OS X/Clang due to redefinition of string functions
- Bug #1183: pcap: cppcheck warning
New in Suricata 2.1 Beta 2 (Dec 30, 2014)
- New Features:
- Feature #549: Extract file attachments from emails
- Feature #1312: Lua output support
- Feature #899: MPLS over Ethernet support
- Feature #383: Stream logging
- Improvements:
- Feature #1263: Lua: Access to Stream Payloads
- Feature #1264: Lua: access to TCP quad / Flow Tuple
- Feature #707: ip reputation files – network range inclusion availability (cidr)
- Bugs:
- Bug #1048: PF_RING/DNA config – suricata.yaml
- Bug #1230: byte_extract, within combination not working
- Bug #1257: Flow switch is missing from the eve-log section in suricata.yaml
- Bug #1259: AF_PACKET IPS is broken in 2.1beta1
- Bug #1260: flow logging at shutdown broken
- Bug #1279: BUG: NULL pointer dereference when suricata was debug mode.
- Bug #1280: BUG: IPv6 address vars issue
- Bug #1285: Lua – http.request_line not working (2.1)
- Bug #1287: Lua Output has dependency on eve-log:http
- Bug #1288: Filestore keyword in wrong place will cause entire rule not to trigger
- Bug #1294: Configure doesn’t use –with-libpcap-libraries when testing PF_RING library
- Bug #1301: suricata yaml – PF_RING load balance per hash option
- Bug #1308: http_header keyword not matching when SYN|ACK and ACK missing (master)
- Bug #1311: EVE output Unix domain socket not working (2.1)
New in Suricata 2.0.5 (Dec 30, 2014)
- Changes:
- Bug #1190: http_header keyword not matching when SYN|ACK and ACK missing
- Bug #1246: EVE output Unix domain socket not working
- Bug #1272: Segfault in libhtp 0.5.15
- Bug #1298: Filestore keyword parsing issue
- Bug #1303: improve stream ‘bad window update’ detection
- Bug #1304: improve stream handling of bad SACK values
- Bug #1305: fix tcp session reuse for ssh/ssl sessions
- Bug #1307: byte_extract, within combination not working
- Bug #1326: pcre pkt/flowvar capture broken for non-relative matches
- Bug #1329: Invalid rule being processed and loaded
- Bug #1330: Flow memuse bookkeeping error (2.0.x)
New in Suricata 2.1 Beta 1 (Sep 29, 2014)
- New Features:
- Feature #1248: flow/connection logging
- Feature #1155 & #1208: Log packet payloads in eve alerts
- Improvements:
- Optimization #1039: Packetpool should be a stack
- Optimization #1241: pcap recording: record per thread
- Feature #1258: json: include HTTP info with Alert output
- AC matcher start up optimizations
- BM matcher runtime optimizations
- Removals:
- pcapinfo’ output was removed. Suriwire now works with the JSON ‘eve’ output
New in Suricata 2.0.4 (Sep 29, 2014)
- Bug #1276: ipv6 defrag issue with routing headers
- Bug #1278: ssh banner parser issue
- Bug #1254: sig parsing crash on malformed rev keyword
- Bug #1267: issue with ipv6 logging
- Bug #1273: Lua – http.request_line not working
- Bug #1284: AF_PACKET IPS mode not logging drops and stream inline issue
New in Suricata 2.0.3 (Aug 26, 2014)
- Changes
- Bug #1236: fix potential crash in http parsing
- Bug #1244: ipv6 defrag issue
- Bug #1238: Possible evasion in stream-tcp-reassemble.c
- Bug #1221: lowercase conversion table missing last value
- Support #1207: Cannot compile on CentOS 5 x64 with –enable-profiling
- Updated bundled libhtp to 0.5.15
New in Suricata 2.0.2 (Jul 11, 2014)
- Notable changes:
- IP defrag issue leading to evasion. Bug discovered by Antonios Atlasis working with ERNW GmbH
- Support for NFLOG as a capture method. Nice work by Giuseppe Longo
- DNS TXT parsing and logging. Funded by Emerging Threats
- Log rotation through SIGHUP. Created by Jason Ish of Endace/Emulex
- All closed tickets:
- Feature #781: IDS using NFLOG iptables target
- Feature #1158: Parser DNS TXT data parsing and logging
- Feature #1197: liblua support
- Feature #1200: sighup for log rotation
- Bug #1098: http_raw_uri with relative pcre parsing issue
- Bug #1175: unix socket: valgrind warning
- Bug #1189: abort() in 2.0dev (rev 6fbb955) with pf_ring 5.6.3
- Bug #1195: nflog: cppcheck reports memleaks
- Bug #1206: ZC pf_ring not working with Suricata 2.0.1 (or latest git)
- Bug #1211: defrag issue
- Bug #1212: core dump (after a while) when app-layer.protocols.http.enabled = yes
- Bug #1214: Global Thresholds (sig_id 0, gid_id 0) not applied correctly if a signature has event vars
- Bug #1217: Segfault in unix-manager.c line 529 when using –unix-socket and sending pcap files to be analized via socket
New in Suricata 2.0.1 (May 21, 2014)
- Notable changes:
- OpenSSL Heartbleed detection. Thanks to Pierre Chifflier and Will Metcalf
- Fixed Unix Socket runmode
- Fixed AF_PACKET IPS support
- All closed tickets:
- Feature #1157: Always create pid file if –pidfile command line option is provided
- Feature #1173: tls: OpenSSL heartbleed detection
- Bug #978: clean up app layer parser thread local storage
- Bug #1064: Lack of Thread Deinitialization For Decoder Modules
- Bug #1101: Segmentation in AppLayerParserGetTxCnt
- Bug #1136: negated app-layer-protocol FP on multi-TX flows
- Bug #1141: dns response parsing issue
- Bug #1142: dns tcp toclient protocol detection
- Bug #1143: tls protocol detection in case of tls-alert
- Bug #1144: icmpv6: unknown type events for MLD_* types
- Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
- Bug #1146: tls: event on ‘new session ticket’ in handshake
- Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
- Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
- Bug #1161: eve: src and dst mixed up in some cases
- Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
- Bug #1163: HTP Segfault
- Bug #1165: af_packet – one thread consistently not working
- Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
- Bug #1176: AF_PACKET IPS mode is broken in 2.0
- Bug #1177: eve log do not show action ‘dropped’ just ‘allowed’
- Bug #1180: Possible problem in stream tracking
New in Suricata 2.0.1 RC 1 (May 15, 2014)
- Notable changes:
- OpenSSL Heartbleed detection. Thanks to Pierre Chifflier and Will Metcalf
- Fixed Unix Socket runmode
- Fixed AF_PACKET IPS support
- All closed tickets:
- Feature #1157: Always create pid file if –pidfile command line option is provided
- Feature #1173: tls: OpenSSL heartbleed detection
- Bug #978: clean up app layer parser thread local storage
- Bug #1064: Lack of Thread Deinitialization For Decoder Modules
- Bug #1101: Segmentation in AppLayerParserGetTxCnt
- Bug #1136: negated app-layer-protocol FP on multi-TX flows
- Bug #1141: dns response parsing issue
- Bug #1142: dns tcp toclient protocol detection
- Bug #1143: tls protocol detection in case of tls-alert
- Bug #1144: icmpv6: unknown type events for MLD_* types
- Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
- Bug #1146: tls: event on ‘new session ticket’ in handshake
- Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
- Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
- Bug #1161: eve: src and dst mixed up in some cases
- Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
- Bug #1163: HTP Segfault
- Bug #1165: af_packet – one thread consistently not working
- Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
- Bug #1176: AF_PACKET IPS mode is broken in 2.0
- Bug #1177: eve log do not show action ‘dropped’ just ‘allowed’
- Bug #1180: Possible problem in stream tracking
New in Suricata 2.0 RC 3 (Mar 20, 2014)
- Bug #1127: logstash & suricata parsing issue
- Bug #1128: Segmentation fault – live rule reload
- Bug #1129: pfring cluster & ring initialization
- Bug #1130: af-packet flow balancing problems
- Bug #1131: eve-log: missing user agent reported inconsistently
- Bug #1133: eve-log: http depends on regular http log
- Bug #1135: 2.0rc2 release doesn’t set optimization flag on GCC
- Bug #1138: alert fastlog drop info missing
New in Suricata 2.0 RC 2 (Mar 10, 2014)
- Notable changes
- eve-log is now enabled by default
- SSH parser is re-enabled
- SSH logging was added to ‘eve-log’
- bundled libhtp was updated to 0.5.10
- Fixes:
- Add VLAN tag ID to all outputs
- Add QinQ tag ID to all outputs
- Introduce SSH log
- app-layer protocols http memcap – info in verbose mode (-v)
- restore SSH protocol detection and parser
- fp: rule with ports matching on portless proto
- default config generates rule warnings and errors
- 1.4.6: conf_filename not checked before use
- SMTP: move depends on uninitialised value
- FTP: Memory Leak
- TLS-Handshake: Uninitialized value
- HTTP: Memory Leak
- suricata.yaml config parameter – segfault
- PF_RING vlan handling
- Can have the same Pattern ID (pid) for the same pattern but different case flags
- capture stats at exit incorrect
- tls-events.rules file missing
- nfq: exit stats not working
- segv with pfring/afpacket and eve-log enabled
- crash in eve-log
- ipfw build broken
New in Suricata 2.0 RC 1 (Feb 17, 2014)
- Notable changes:
- unified JSON output for almost all log types (eve-log). Written by Tom Decanio of nPulse Technologies
- QinQ VLAN handling
- Alerting over PCIe bus (Tilera only), by Ken Steel of Tilera
- Add –set commandline option to override any YAML option, by Jason Ish of Emulex
- Various scalability improvements, clean ups and fixes by Ken Steel of Tilera
- ICMPv6 handling improvements by Jason Ish of Emulex
- memcaps for DNS and HTTP handling were added
- Several fixes and improvements of AF_PACKET and PF_RING
- NSM runmode, where detection engine is disabled. Development supported by nPulse Technologies
- Fixes:
- App layer registration cleanup – Support specifying same alproto names in rules for different ip protocols
- TLS JSON output
- case insensitive fileext match
- JSON output for alerts
- QinQ tag flow support
- clean up output
- Override conf parameters
- united output
- Suricata should compile with -Werror
- memcap for http inside suricata
- dns memcap
- stream: configurable segment pools
- Add a decoder.QinQ stats in stats.log
- Detect icmpv6 on ipv4
- http events alert multiple times
- VLAN decoder stats with AF Packet get written to the first thread only – stats.log
- memory leak in http buffers at shutdown
- format string issues with size_t + qa not catching them
- Segmentation fault in 2.0beta2: Custom HTTP log segmentation fault
- radix tree lookups are not thread safe
- CUDA 5.5 doesn’t compile with 2.0 beta 2
- Err loading rules with variables that contain negated content.
- segfault – 2.0dev (rev 6e389a1)
- 100% CPU utilization with suricata 2.0 beta2+
- af-packet vlan handling is broken
- stats.log not incrementing decoder.ipv4/6 stats when reading in QinQ packets
- vlan tagged fragmentation
- Git compile fails on Ubuntu Lucid
- flow timeout causes decoders to run on pseudo packets
New in Suricata 2.0 Beta 2 (Dec 23, 2013)
- New features:
- Feature #234: add option disable/enable individual app layer protocol inspection modules
- Feature #417: ip fragmentation time out feature in yaml
- Feature #478: XFF (X-Forwarded-For) support in Unified2
- Feature #602: availability for http.log output – identical to apache log format
- Feature #751: Add invalid packet counter
- Feature #813: VLAN flow support
- Feature #901: VLAN defrag support
- Feature #878: add storage api
- Feature #944: detect nic offloading
- Feature #956: Implement IPv6 reject
- Feature #983: Provide rule support for specifying icmpv4 and icmpv6
- Feature #1008: Optionally have http_uri buffer start with uri path for use in proxied environments
- Feature #1009: Yaml file inclusion support
- Feature #1032: profiling: per keyword stats
- Improvements and Fixes:
- Bug #463: Suricata not fire on http reply detect if request are not http
- Feature #986: set htp request and response size limits
- Bug #895: response: rst packet bug
- Feature #940: randomize http body chunks sizes
- Feature #904: store tx id when generating an alert
- Feature #752: Improve checksum detection algorithm
- Feature #746: Decoding API modification
- Optimization #1018: clean up counters api
- Bug #907: icmp_seq and icmp_id keywords broken with icmpv6 traffic
- Bug #967: threshold rule clobbers suppress rules
- Bug #968: unified2 not logging tagged packets
- Bug #995: tag keyword: tagging sessions per time is broken
New in Suricata 1.4.7 (Dec 17, 2013)
- Fixes:
- Bug #996: tag keyword: tagging sessions per time is broken
- Bug #1000: delayed detect inits thresholds before de_ctx
- Bug #1001: ip_rep loading problem with multiple values for a single ip
- Bug #1022: StreamTcpPseudoPacketSetupHeader : port swap logic isn’t consistent
- Bug #1047: detect-engine.profile – custom value parsing broken
- Bug #1063: rule ordering with multiple vars
New in Suricata 1.4.6 (Sep 30, 2013)
- Bug 958: malformed SSL records leading to crash. Reported by Sebastian Roschke. CVE-2013-5919.
- Bug 971: AC pattern matcher out of bounds memory read.
- Bug 965: improve negated content handling. Reported by Will Metcalf.
- Bug 937: fix IPv6-in-IPv6 decoding.
- Bug 934: improve address parsing.
- Bug 969: fix unified2 not logging tagged packets.
New in Suricata 2.0 Beta 1 (Aug 5, 2013)
- New features:
- Luajit flow vars and flow ints support
- DNS parser, logger and keyword support
- deflate support for HTTP response bodies
- Improvements:
- update to libhtp 0.5
- improved gzip support for HTTP response bodies
- redesigned transaction handling, improving both accuracy and performance
- redesigned CUDA support
- Be sure to always apply verdict to NFQ packet
- stream engine: SACK allocs should adhere to memcap
- stream: deal with multiple different SYN/ACK’s better
- stream: Randomize stream chunk size for raw stream inspection
- Introduce per stream thread ssn pool
- pass” IP-only rules should bypass detection engine after matching
- Generate error if bpf is used in IPS mode
- Add support for batch verdicts in NFQ
- Update Doxygen config
- Improve libnss detection
- Fixes:
- Fix a FP on rules looking for port 0 and fragments
- OS X unix socket build fixed
- bytetest, bytejump and byteextract negative offset failure
- Fix fast.log formatting issues
- Invalidate negative depth
- Fixed accuracy issues with relative pcre matching
- Fix deadlock in flowvar capture code
- Improved accuracy of file_data keyword
- Fix af-packet ips mode rule processing bug
- stream: fix injecting pseudo packet too soon leading to FP
New in Suricata 1.4.5 (Aug 5, 2013)
- ipv6 extension header parsing issue causing Suricata to hang
- icmp_seq and icmp_id keyword with icmpv6 traffic FP & FN
New in Suricata 1.4.4 (Jul 20, 2013)
- Fixes:
- Unix socket – showing as compiled when it is not desired to do so
- configure –enable-unix-socket does not err out if libs/pkgs are not present
- FP on IP frag and sig using udp port 0, thanks to Rmkml
- fix pass action not working correctly in all cases, thanks Kevin Branch
- http connect tunnel crash fixed
- Flowbit check with content doesn’t match consistently, thanks to Francis Trudeau
New in Suricata 1.4.3-1 (Jun 25, 2013)
- Fixes:
- Fix missed detection in bytetest, bytejump and byteextract for negative offset (#828)
- Fix IPS mode being unable to drop tunneled packets (#826)
New in Suricata 1.4.2-2 (Jun 5, 2013)
- Improvements:
- No longer force "nocase" to be used on http_host
- Invalidate rule if uppercase content is used for http_host w/o nocase
- Warn user if bpf is used in af-packet IPS mode
- Better test for available libjansson version
- Fixes:
- Fixed accuracy issues with relative pcre matching (#784)
- Improved accuracy of file_data keyword (#788)
- Invalidate negative depth (#770)
- Fix http host parsing for IPv6 addresses (#761)
- Fix fast.log formatting issues (#773)
- Fixed deadlock in flowvar set code for http buffers (#801)
- Various signature ordering improvements
- Minor stream engine fix
New in Suricata 1.4.1-1 (Mar 14, 2013)
- New features:
- GeoIP keyword, allowing matching on Maxmind’s database, contributed by Ignacio Sanchez (#559)
- Introduce http_host and http_raw_host keywords (#733, #743)
- Add python module for interacting with unix socket (#767)
- Add new unix socket commands: fetching config, counters, basic runtime info (#764, #765)
- Improvements:
- Big Napatech support update by Matt Keeler
- Configurable sensor id in unified2 output, contributed by Jake Gionet (#667)
- FreeBSD IPFW fixes by Nikolay Denev
- Add “default” interface setting to capture configuration in yaml (#679)
- Make sure “snaplen” can be set by the user (#680)
- Improve HTTP URI query string normalization (#739)
- Improved error reporting in MD5 loading (#693)
- Improve reference.config parser error reporting (#737)
- Improve build info output to include all configure options (#738)
- Fixes:
- Segfault in TLS parsing reported by Charles Smutz (#725)
- Fix crash in teredo decoding, reported by Rmkml (#736)
- fixed UDPv4 packets without checksum being detected as invalid (#760)
- fixed DCE/SMB parsers getting confused in some fragmented cases (#764)
- parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#697)
- FN: IP-only rule ip_proto not matching for some protocols (#689)
- Fix build failure with other libhtp installs (#688)
- Fix malformed yaml loading leading to a crash (#694)
- Various Mac OS X fixes (#700, #701, #703)
- Fix for autotools on Mac OS X by Jason Ish (#704)
- Fix AF_PACKET under high load not updating stats (#706)
New in Suricata 1.4-1 (Dec 17, 2012)
- New features:
- Unix socket mode for batched processing of series of pcap (#571, #552) (experimental)
- Interaction with Suricata via uix socket (#571, #552) (experimental)
- IP Reputation: loading and matching (#647) (experimental)
- New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346) (experimental)
- Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
- Support for pkt_data keyword was added (#423)
- Improved --list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)
- User and group to run as can now be set in the config file
- Add stream event to match on overlaps with different data in stream reassembly (#603)
- Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
- Rules can be set to inspect only IPv4 or IPv6 (#494)
- Added ability to control per server HTTP parser settings in much more detail (#503)
- Make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
- Filesize keyword for matching on sizes of files in HTTP (#489)
- Custom HTTP logging contributed by Ignacio Sanchez (#530)
- TLS certificate logging and fingerprint computation and keyword by Jean-Paul Roliers (#443)
- TLS certificate store to disk feature Jean-Paul Roliers (#444)
- AF_PACKET IPS support (#516)
- NFQ fail open support (#507)
- PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
- Support for Napatech cards through their 3rd generation driver was added by Matt Keeler from Npulse (#430, #619)
- Endace support improved
- New runmode for users of pcap wrappers (Myricom, PF_RING, others)
- Improvements:
- Add contrib directory to the dist (#567)
- Performance improvements to signatures with dsize option
- Improved rule analyzer: print fast_pattern along with the rule (#558)
- Fixes to stream engine reducing the number of events generated (#604)
- Stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592)
- HTTP handling in OOM condition was greatly improved (#557)
- Filemagic keyword performance was improved (#585)
- Updated bundled libhtp to 0.2.11
- Build system improvements and cleanups
- Live reloads now supports HTTP rule updates better (#522)
- AF_PACKET performance improvements (#197, #415)
- Make defrag more configurable (#517, #528)
- Improve pool performance (#518)
- Improve file inspection keywords by adding a separate API (#531)
- Example threshold.config file provided (#302)
- Fixes:
- Decoder event matching fixed (#672)
- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#665)
- Add more events to IPv6 extension header anomolies (#678)
- Fix ICMPv6 payload and checksum calculation (#677, #674)
- Clean up flow timeout handling (#656)
- Fix a shutdown bug when using AF_PACKET under high load (#653)
- Fix TCP sessions being cleaned up to early (#652)
New in Suricata 1.4 RC 1 (Dec 8, 2012)
- New features:
- Interactive unix socket mode (#571, #552)
- IP Reputation: loading and matching (#647)
- Improved --list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)
- Improvements:
- Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494)
- User-Agent added to file log and filestore meta files (#629)
- Endace DAG supports live stats and at exit drop stats (#638)
- Add support for libhtp event "request port doesn't match tcp port" (#650)
- Fixes:
- Rules with negated addresses will not be considered IP-only (#599)
- Rule reloads complete much faster in low traffic conditions (#526)
- Suricata -h now displays all available options (#419)
- Luajit configure time detection was improved (#636)
- Flow manager mutex used w/o initialization (#628)
- Cygwin work around for windows shell mangling interface string (#372)
- Fix a Prelude output crash with alerts generated by rules w/o classtype or msg (#648)
- CLANG compiler build fixes (#649)
- Several fixes found by code analyzers
New in Suricata 1.4 Beta 3 (Nov 16, 2012)
- New features:
- support for Napatech cards through their 3rd generation driver was added by Matt Keeler from Npulse (#430, #619)
- support for pkt_data keyword was added
- user and group to run as can now be set in the config file
- make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
- PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
- add stream event to match on overlaps with different data in stream reassembly (#603)
- Improvements:
- add contrib directory to the dist (#567)
- performance improvements to signatures with dsize option
- improved rule analyzer: print fast_pattern along with the rule (#558)
- fixes to stream engine reducing the number of events generated (#604)
- stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592)
- HTTP handling in OOM condition was greatly improved (#557)
- filemagic keyword performance was improved (#585)
- updated bundled libhtp to 0.2.11
- build system improvements and cleanups
- Fixes:
- fixes and improvements to daemon mode (#624)
- fix drop rules not working correctly when thresholded (#613)
- fixed a possible FP when a regular and "chopped" fast_pattern were the same (#581)
- fix a false possitive condition in http_header (#607)
- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#627)
- fixes to rule profiling (#576)
- cleanups and misc fixes (#379, #395)
- fix to SSL record parsing
New in Suricata 1.3.3 (Nov 16, 2012)
- Fixes:
- fix drop rules not working correctly when thresholded (#615)
- fix a false possitive condition in http_header (#606)
- fix extracted file corruption (#601)
- fix a false possitive condition with the pcre keyword and relative matching (#588)
- fix PF_RING set cluster problem on dma interfaces (#598)
- improve http handling in low memory conditions (#586, #587)
- fix FreeBSD inline mode crash (#612)
- suppress pcre jit warning (#579)
New in Suricata 1.4 Beta 2 (Oct 6, 2012)
- New features:
- New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346)
- Added ability to control per server HTTP parser settings in much more detail (#503)
- Improvements:
- Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540)
- Big performance improvement in inspecting decoder, stream and app layer events (#555)
- Pool performance improvements (#541)
- Improved performance of signatures with simple pattern setups (#577)
- Bundled docs are installed upon make install (#527)
- Support for a number of global vs rule thresholds was added (#425)
- Improved rule profiling performance
- If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded.
- Fixes:
- Fix compilation on architectures other than x86 and x86_64 (#572)
- Fix FP with anchored pcre combined with relative matching (#529)
- Fix engine hanging instead of exitting if the pcap device doesn't exist (#533)
- Work around for potential FP, will get properly fixed in next release (#574)
- Improve ERF handling. Thanks to Jason Ish
- Always set cluster_id in PF_RING
- IPFW: fix broken broadcast handling
- AF_PACKET kernel offset issue, IPS fix and cleanup
- Fix stream engine sometimes resending the same data to app layer
- Fix multiple issues in HTTP multipart parsing
- Fixed a lockup at shutdown with NFQ (#537)
New in Suricata 1.4 Beta 1 (Sep 7, 2012)
- New features:
- Custom HTTP logging contributed by Ignacio Sanchez (#530)
- TLS certificate logging and fingerprint computation and keyword by Jean-Paul Roliers (#443)
- TLS certificate store to disk feature Jean-Paul Roliers (#444)
- Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
- AF_PACKET IPS support (#516)
- Rules can be set to inspect only IPv4 or IPv6 (#494)
- filesize keyword for matching on sizes of files in HTTP (#489)
- Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
- NFQ fail open support (#507)
- Highly experimental lua scripting support for detection
- Improvements:
- Live reloads now supports HTTP rule updates better (#522)
- AF_PACKET performance improvements (#197, #415)
- Make defrag more configurable (#517, #528)
- Improve pool performance (#518)
- Improve file inspection keywords by adding a separate API (#531)
- Example threshold.config file provided (#302)
- Fixes;
- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
- Various spelling corrections by Simon Moon (#533)
New in Suricata 1.3.1 (Sep 7, 2012)
- Improvements:
- AF_PACKET performance improvements
- Defrag engine performance improvements
- HTTP: add per server options to enable/disable double decoding of URI (#464, #504)
- Fixes:
- Stream engine packet handling for packets with non-standard flag combinations (#508)
- Improved stream engine handling of packet loss (#523)
- Stream engine checksum alerting fixed
- Various rule analyzer fixes (#495, #496, #497)
- (Rule) profiling fixed and improved (#460, #466)
- Enforce limit on max-pending-packets (#510)
- fast_pattern on negated content improved
- TLS rule keyword parsing issues
- Windows build fixes (#502)
- Host OS parsing issues fixed (#499)
- Reject signatures where content length is bigger than "depth" setting (#505)
- Removed unused "prune-flows" option
- Set main thread and live reload thread names (#498)