[Oisf-devel] Suricata 4.0.0-beta1 ready for testing!

Victor Julien victor at inliniac.net
Wed Jun 7 16:24:23 UTC 2017

We are proud to announce that the first release for the upcoming
*Suricata 4.0.0-beta1* is ready for testing.

This release features our first experimental steps into using the Rust
language for creating safer and easier to develop parsers. Inspired by
Pierre Chiffliers talk at SuriCon 2016 [1]. This initial integration
does not yet include Pierre’s work, but this will likely change in the
near future.
By compiling with –enable-rust you’ll get a basic NFSv3 parser and
reimplementation of the DNS parser. Feedback on this is highly appreciated.

A major new feature is support for STARTTLS in SMTP and FTP. TLS
sessions will now be logged in these cases. Decoding, logging and
matching on TLS sertial numbers was also added. Great work by Mats
Klepsland. Also for TLS, session resumption logging is now supported
thanks to the work of Ray Ruvinskiy. TLS logging was improved by Paulo

Lots of new HTTP detection options were added to make matching on
specific header fields easier and more efficient. New SSH keywords that
are fast_pattern capable have also been added. For developers, this
release makes extending the detection engine a lot easier.

A major TCP stream engine update is included. This should lead to better
performance and less configuration, especially in IPS mode.

EVE is extended in several ways: in the case of encapsulated traffic
both the inner and outer ip addresses and ports are logged. The ‘vars’
facility logs flowbits and other vars. This can also be used to extract
data from the traffic using PCRE, and then log it. EVE can also be
rotated based on time.

David Wharton has created a section in the documentation for rule
writers who have a background in Snort. It documents changes that are
relevant for writing rules.

Paulo Pacheco has been improving the Redis output performance.

Note that this release finally drops support for CentOS 5, and for
libpcap 0.x with it.

*Special thanks*

Mats Klepsland - for his major contributions: many EVE and TLS features

Pierre Chifflier - for paving the way for the Rust experiment and being
very helpful while learning Rust and Nom.

Additionally: Jérémy Beaume, Alexander Gozman, Paulo Pacheco, Ray
Ruvinskiy, Peter Sanders, David Wharton, Jon Zeolla


Feature #805: Add support for applayer change
Feature #806: Implement STARTTLS support
Feature #1636: Signal rotation of unified2 log file without restart
Feature #1953: lua: expose flow_id
Feature #1969: TLS transactions with session resumption are not logged
Feature #1978: Using date in logs name
Feature #1998: eve.tls: custom TLS logging
Feature #2006: tls: decode certificate serial number
Feature #2011: eve.alert: print outside IP addresses on alerts on
traffic inside tunnels
Feature #2046: Support custom file permissions per logger
Feature #2061: lua: get timestamps from flow
Feature #2077: Additional HTTP Header Contents and Negation
Feature #2129: nfs: parser, logger and detection
Feature #2130: dns: rust parser with stateless behaviour
Feature #2132: eve: flowbit and other vars logging
Feature #2133: unix socket: add/remove hostbits
Bug #1335: suricata option --pidfile overwrites any file
Bug #1470: make install-full can have race conditions on OSX.
Bug #1759: CentOS5 EOL tasks
Bug #2037: travis: move off legacy support
Bug #2039: suricata stops processing when http-log output via
unix_stream backs up
Bug #2041: bad checksum 0xffff
Bug #2044: af-packet: faulty VLAN handling in tpacket-v3 mode
Bug #2045: geoip: compile warning on CentOS 7
Bug #2049: Empty rule files cause failure exit code without
corresponding message
Bug #2051: ippair: xbit unset memory leak
Bug #2053: ippair: pair is direction sensitive
Bug #2070: file store: file log / file store mismatch with multiple files
Bug #2072: app-layer: fix memleak on bad traffic
Bug #2078: http body handling: failed assertion
Bug #2088: modbus: clang-4.0 compiler warnings
Bug #2093: Handle TCP stream gaps.
Bug #2097: "Name of device should not be null" appears in suricata.log
when using pfring with configuration from suricata.yaml
Bug #2098: isdataat: fix parsing issue with leading spaces
Bug #2108: pfring: errors when compiled with asan/debug
Bug #2111: doc: links towards http_header_names
Bug #2112: doc: links towards certain http_ keywords not working
Bug #2113: Race condition starting Unix Server
Bug #2118: defrag - overlap issue in linux policy
Bug #2125: ASAN SEGV - Suricata version 4.0dev (rev 922a27e)
Optimization #521: Introduce per stream thread segment pool
Optimization #1873: Classtypes missing on decoder-events,files, and


User Training in Denver, Colorado. June 20 and 21:
Hosted by ProtectWise.

Developer Training in Cork, Ireland. September 11 to 15:
Hosted by FireEye.

User Training at SuriCon 2017, in Prague:

*SuriCon 2017*

Come meet the Suricata community and development team to discuss all
things Suricata at the third edition of the annual Suricata Conference.
SuriCon 2017 will be in November in Prague: https://suricon.net

*About Suricata*

Suricata is a high performance Network Threat Detection, IDS, IPS and
Network Security Monitoring engine. Open Source and owned by a community
run non-profit foundation, the Open Information Security Foundation
(OISF). Suricata is developed by the OISF, its supporting vendors and
the community.


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list