[Oisf-users] Suricata 1.1 Available!

Victor Julien victor at inliniac.net
Thu Nov 10 16:08:55 UTC 2011


The OISF development team is proud to announce Suricata 1.1. This is the
first stable release after the 1.0 series. It brings significant gains
in performance, stability and accuracy. It is the result of more than a
year of work by the development team and our contributors, resulting in
a 70% growth of our code base.

Get the new release here:
http://www.openinfosecfoundation.org/download/suricata-1.1.tar.gz

The configuration file has evolved but backward compatibility is
provided. We thus encourage you to update your Suricata configuration
file. Upgrade guidance is provided here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_10_to_Suricata_11

Notable Improvements

- performance improvements
  - new default pattern matcher
  - multi pattern matcher inspection of HTTP buffers
  - improved running modes
- accuracy was greatly improved
- improved logging
  - extended HTTP logging
  - support of stream event logging
- IPS improvements
  - inline mode for stream engine
  - new keyword and running options for Netfilter based IPS
- removal of the unified1 output plugins (#353)

New features

- new keywords ssl_state, ssl_version (#258, #262).
- support for http_raw_header, http_stat_msg, http_stat_code and
http_raw_uri keywords (#259, #260).
- new keyword support: nfq_set_mark
- support for suppress keyword was added (#274)
- byte_extract keyword support was added
- new default pattern matcher, Aho-Corasick based, that uses much less
memory and performs better
- fast_pattern & multi pattern matching support for HTTP buffers
- extended HTTP request logging for use with (among other things)
http_agent for Sguil (#38)
- new counters in stats.log for flow and stream engines (#348)
- AF_PACKET support for high speed packet capture
- advanced and fine tuning of CPU affinity setting for enhanced
multicore performances
- "replace" keyword support for IPS mode (#303)
- new "workers" runmode for multi-dev and/or clustered PF_RING,
AF_PACKET, pcap
- added "stream-event" keyword to match on TCP session anomalies
- Inline mode for the stream engine (#230, #248)
- Included an example decoder-events.rules file
- pcap logging / recording output was added
- basic SCTP protocol parsing was added
- reference.config support as supplied by ET/ETpro and VRT
- smtp protocol parser and protocol detection was added
- better handling of detection for timed out TCP sessions
- improved protocol detection accuracy with additional support for port
based detection

Fixes since 1.1rc1

- CUDA build fixed
- minor pcap, AF_PACKET and PF_RING fixes (#368)
- bpf handling fix
- Windows CYGWIN build
- more cleanups

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our
best to make you aware of continuing development and items within the
engine that are not yet complete or optimal.  With this in mind, please
notice the list we have included of known items we are working on.

See http://redmine.openinfosecfoundation.org/projects/suricata/issues
for an up to date list and to report new issues. See
http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues
for a discussion and time line for the major issues.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list