[Discussion] Suricata 1.4beta2 Available for testing!
Victor Julien
victor at inliniac.net
Thu Oct 4 14:42:57 UTC 2012
The OISF development team is proud to announce Suricata 1.4beta2. This
is the second beta release for the upcoming 1.4 version.
The main addition of this release is a usable lua scripting keyword for
detection: luajit. This keyword allows you to run Lua scripts as part of
the detection engine, allowing inspection beyond what the rule language
offers. While not cheap, performance is not bad at all due to use of the
luajit engine. [1]
This release also brings major performance enhancements. We're able to
get virtually packet loss free with AF_PACKET on our ISP test box with
6gbps-9gpbs of sustained traffic on commodity hardware with 7k rules. [2]
Get the new release here:
http://www.openinfosecfoundation.org/download/suricata-1.4beta2.tar.gz
New features
- New keyword: "luajit" to inspect packet, payload and all HTTP buffers
with a Lua script (#346)
- Added ability to control per server HTTP parser settings in much more
detail (#503)
Improvements
- Rewrite of IP Defrag engine to improve performance and fix locking
logic (#512, #540)
- Big performance improvement in inspecting decoder, stream and app
layer events (#555)
- Pool performance improvements (#541)
- Improved performance of signatures with simple pattern setups (#577)
- Bundled docs are installed upon make install (#527)
- Support for a number of global vs rule thresholds [3] was added (#425)
- Improved rule profiling performance
- If not explicit fast_pattern is set, pick HTTP patterns over stream
patterns. HTTP method, stat code and stat msg are excluded.
Fixes
- Fix compilation on architectures other than x86 and x86_64 (#572)
- Fix FP with anchored pcre combined with relative matching (#529)
- Fix engine hanging instead of exitting if the pcap device doesn't
exist (#533)
- Work around for potential FP, will get properly fixed in next release
(#574)
- Improve ERF handling. Thanks to Jason Ish
- Always set cluster_id in PF_RING
- IPFW: fix broken broadcast handling
- AF_PACKET kernel offset issue, IPS fix and cleanup
- Fix stream engine sometimes resending the same data to app layer
- Fix multiple issues in HTTP multipart parsing
- Fixed a lockup at shutdown with NFQ (#537)
Credits
We'd like to thank the following people and corporations for their
contributions and feedback:
- Jason Ish - Endace
- Chris Wakelin
- Rmkml
Known issues & missing features
In a beta release like this things may not be as polished yet. So please
handle with care. That said, if you encounter issues, please let us
know! As always, we are doing our best to make you aware of continuing
development and items within the engine that are not yet complete or
optimal. With this in mind, please notice the list we have included of
known items we are working on.
See http://redmine.openinfosecfoundation.org/projects/suricata/issues
for an up to date list and to report new issues. See
http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues
for a discussion and time line for the major issues.
About Suricata
Suricata is a high performance Network IDS, IPS and Network Security
Monitoring engine. Open Source and owned by a community run non-profit
foundation, the Open Information Security Foundation (OISF). Suricata is
developed by the OISF, its supporting vendors and the community.
References
[1] http://blog.inliniac.net/2012/09/21/suricata-luajit-update/
[2] https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
[3]
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds#Global-thresholds-vs-rule-thresholds
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Discussion
mailing list