[Oisf-devel] [Oisf-users] Suricata 1.3 Available!

Martin Holste mcholste at gmail.com
Fri Jul 6 15:35:09 UTC 2012 

Can Anoop describe a bit about ac-bs?  I read the .c header and it
looks like I should use this one since I have a ton of RAM, but I'm
interested in the design goals and overall idea.

On Fri, Jul 6, 2012 at 10:23 AM, Victor Julien <victor at inliniac.net> wrote:
> The OISF development team is proud to announce Suricata 1.3. This
> release is a major improvement over the previous releases with regard to
> performance, scalability and accuracy. Also, a number of great features
> have been added.
>
> Major new features:
>
> - TLS/SSL handshake parser and rule keywords for detecting anomolies in
> TLS/SSL traffic
> - HTTP user agent keyword for matching directly on User-Agent header
> - On the fly MD5 calculation and matching for files in HTTP streams
>
> New / improved hardware support
>
> - Napatech support added
> - Endace support improved
> - New runmode for users of pcap wrappers (Myricom, PF_RING, others)
>
> Get the new release here:
> http://www.openinfosecfoundation.org/download/suricata-1.3.tar.gz
>
> The configuration file has evolved but backward compatibility is
> provided. We thus encourage you to update your suricata configuration
> file. Upgrade guidance is provided here:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_12_to_Suricata_13
>
> Detailed list of changes:
>
> New features
>
> - TLS/SSL handshake parser, tls.subjectdn and tls.issuerdn keywords
> (#296, contributed by Pierre Chifflier)
> - http_user_agent keyword for matching on the HTTP User-Agent header
> - experimental live rule reload by sending a USR2 signal (#279)
> - AF_PACKET BPF support (#449)
> - AF_PACKET live packet loss counters (#441)
> - Ringbuffer and zero copy support for AF_PACKET
> - add pcap workers runmode for use with libpcap wrappers that support
> load balancing, such as  Napatech's or Myricom's
> - Napatech capture card support (contributed by Randy Caldejon -- nPulse)
> - Test mode: -T option to test the config (#271)
> - Rule analyzer (#349)
> - On the fly md5 checksum calculation of extracted files
> - File extraction for HTTP POST request that do not use multipart bodies
> - Scripts for looking up files / file md5's at Virus Total and others
> (contributed by Martin Holste)
> - Experimental support for matching on large lists of known file MD5
> checksums
> - negated filemd5 matching, allowing for md5 whitelisting
> - Line based file log, in json format
> - New multi pattern engine: ac-bs
> - Basic support for including other yaml files into the main yaml
> - Commandline options to list supported app layer protocols and keywords
> (#344, #414)
> - Profiling improvements, added lock profiling code
>
>
> Improvements
>
> - Major rewrite of flow engine, improving scalability.
> - New default runmode: "autofp" (#433)
> - Improved scalability for Tag and Threshold subsystems
> - Support for PF_RING 5.4 added. Many thanks to Chris Wakelin (#459).
> - Improved Endace DAG support (#431, Jason Ish -- Endace)
> - Split "file" output into "file-store" and "file-log" outputs
> - Much improved file extraction
> - Improvements to HTTP handling: multipart parsing, gzip decompression.
> - Improved performance for file_data, http_server_body and
> http_client_body keywords.
> - Improved HTTP CONNECT support in libhtp (#427, Brian Rectanus -- Qualys)
> - http_cookie keyword now also inspects "Set-Cookie" header (#479)
> - http_raw_header keyword inspects original header line terminators (#475)
> - deal with double encoded URI (#464)
> - Improved http_stat_msg and http_stat_code keywords (#394)
> - Unified yaml naming convention, including fallback support (by Nikolay
> Denev)
> - Made the rule keyword parser much stricter in detecting syntax errors
> - Improved error reporting when using too long address strings (#451).
> - Rule parser is made more strict.
> - Byte_extract can support negative offsets now (#445).
> - HOME_NET and EXTERNAL_NET and the other vars are now checked for
> common errors (#454).
> - Unified2 output overhaul, logging individual segments in more cases.
> - signatures with depth and/or offset are now checked against packets in
> addition to the stream (#404)
>
>
> Changes since 1.3rc1
>
> - make live rule reloads optional and disabled by default
> - fix a shutdown bug
> - fix several memory leaks (#492)
> - warn user if global and rule thresholding conflict (#455)
> - set thread names on FreeBSD (Nikolay Denev)
> - Fix PF_RING building on Ubuntu 12.04
> - rule analyzer updates
> - file inspection improvements when dealing with limits (#493)
>
>
> Credits
>
>   Brian Rectanus -- Qualys
>   Randy Caldejon -- nPulse
>   Pierre Chifflier
>   Coverity
>   Nikolay Denev
>   Jason Ish -- Endace
>   Martin Holste
>   Napatech
>   Rmkml
>   Michel Sarborde
>   Chris Wakelin
>   Joshua White
>
> Known issues & missing features
>
> If you encounter issues, please let us know! As always, we are doing our
> best to make you aware of continuing development and items within the
> engine that are not yet complete or optimal.  With this in mind, please
> notice the list we have included of known items we are working on.
>
> See http://redmine.openinfosecfoundation.org/projects/suricata/issues
> for an up to date list and to report new issues. See
> http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues
> for a discussion and time line for the major issues.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-devel mailing list