[Discussion] Suricata 1.2 Available!

Victor Julien victor at inliniac.net
Thu Jan 19 17:50:36 UTC 2012


The OISF development team is proud to announce Suricata 1.2. This
release brings HTTP file inspection and extraction and a whole lot more.

Get the new release here:
http://www.openinfosecfoundation.org/download/suricata-1.2.tar.gz

The configuration file has evolved but backward compatibility is
provided. We thus encourage you to update your suricata configuration
file. Upgrade guidance is provided here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_11_to_Suricata_12

New features

- file name, type inspection and extraction for HTTP
- filename, fileext, filemagic and filestore keywords added
- "file" output for storing extracted files to disk
- file_data keyword support, inspecting normalized, dechunked,
decompressed HTTP response body (feature #241)
- new keyword http_server_body, pcre regex /S option
- option to enable/disable core dumping from the suricata.yaml (enabled
by default)
- human readable size limit settings in suricata.yaml (bug #333)
- PF_RING bpf support (required PF_RING >= 5.2) (feature #334)
- tos keyword support (feature #364)
- IPFW IPS mode does now support multiple divert sockets
- new IPS running modes, Linux and FreeBSD do now support "worker" and
"autofp"
- app-layer-events keyword: similar to the decoder-events and
stream-events, this will allow matching on HTTP and SMTP events
- auto detection of checksum offloading per interface (#311)
- urilen options to match on raw or normalised URI (#341)
- flow keyword option "only_stream" and "no_stream"
- unixsock output options for all outputs except unified2 (PoC python
script in the qa/ dir) (#250)
- http_header and http_raw_header now also inspect HTTP response headers
(#389, #397)

Improvements

- general performance improvements
- improved alert accuracy in autofp and single runmodes
- major performance optimizations for the ac-gfbs pattern matcher
implementation
- unified2 output fixes
- PF_RING supports privilege dropping now (bug #367)
- improved detection of duplicate signatures
- improved performance in virtual machines (bug #382)
- PCRE-JIT is now enabled by default if available (#356)
- flowbits and flowints are now modified in a post-match action list
- bundled libhtp updated to 0.2.7
- fixed parsing really high sid numbers >2 Billion (#393)
- fixed ICMPv6 not matching in IP-only sigs (#363)

Fixes since 1.2rc1

- improved Windows/CYGWIN path handling (#387)
- fixed some issues with passing an interface or ip address with -i
- make live worker runmode threads adhere to the 'detect' cpu affinity
settings

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our
best to make you aware of continuing development and items within the
engine that are not yet complete or optimal.  With this in mind, please
notice the list we have included of known items we are working on.

See http://redmine.openinfosecfoundation.org/projects/suricata/issues
for an up to date list and to report new issues. See
http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues
for a discussion and time line for the major issues.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Discussion mailing list