[Oisf-users] Suricata 4.1 released

Victor Julien victor at inliniac.net
Tue Nov 6 13:54:29 UTC 2018

After a longer than intended release development cycle, the OISF
development team is proud to present Suricata 4.1.

Main new features are inclusion of the protocols SMBv1/2/3, NFSv4,
Kerberos, FTP, DHCP, IKEv2. All of them have been implemented in Rust to
ensure their introduction will not be compromising to the security and
the stability of the complete system.

Support for tracking and logging TLS 1.3 has been added, including JA3

On performance side, one of the main improvements is the availability of
capture bypass for AF_PACKET implemented on top of the new eXpress Data
Path capability of Linux kernel. Windows users will benefit of the 4.1
release with a new IPS mode based on WinDivert.

All new protocols require Rust so Suricata 4.1 is not really 4.1 if you
don't have Rust. This is why the build system is now enabling Rust by
default if it is available on the build machine.

This is the first release where Suricata-Update 1.0, the new Suricata
rule updater, is bundled.

Get the release here:

*Protocol updates*

SMBv1/2/3 parsing, logging, file extraction
TLS 1.3 parsing and logging (Mats Klepsland)
JA3 TLS client fingerprinting (Mats Klepsland)
TFTP: basic logging (Pascal Delalande and Clément Galland)
FTP: file extraction
Kerberos parser and logger (Pierre Chifflier)
IKEv2 parser and logger (Pierre Chifflier)
DHCP parser and logger
Flow tracking for ICMPv4
Initial NFS4 support
HTTP: handle sessions that only have a response, or start with a response
HTTP Flash file decompression support (Giuseppe Longo)

*Output and logging*

File extraction v2: deduplication; hash-based naming; json metadata and
cleanup tooling
Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
Eve: new more compact DNS record format (Giuseppe Longo)
Pcap directory mode: process all pcaps in a directory (Danny Browning)
Compressed PCAP logging (Max Fillinger)
Expanded XFF support (Maurizio Abba)
Community Flow Id support (common ID between Suricata and Bro/Zeek)

*Packet Capture*

AF_PACKET XDP and eBPF support for high speed packet capture
Windows IPS: WinDivert support (Jacob Masen-Smith)
PF_RING: usability improvements


Windows: MinGW is now supported
Detect: transformation keyword support
Bundled Suricata-Update
Per device multi-tenancy

*Minor changes since 4.1rc2*

Coverity fixes and annotations
Update Suricata-Update to 1.0.0


SMTP crash issue was fixed: CVE-2018-18956
Robustness of defrag against FragmentSmack was improved
Robustness of TCP reassembly against SegmentSmack was improved

*Get paid to work on Suricata!*

Enjoying the testing? Or want to help out with other parts of the
project? We are looking for people, so reach out to us on info at oisf.net
if you're interested.

*Special thanks*

Mats Klepsland, Pierre Chifflier, Giuseppe Longo, Ralph Broenink, Danny
Browning, Maurizio Abba, Pascal Delalande, Wolfgang Hotwagner, Jason
Taylor, Jesper Dangaard Brouer, Alexander Gozman, Konstantin Klinger,
Max Fillinger, Antoine LUONG, David DIALLO, Jacob Masen-Smith, Martin
Natano, Ruslan Usmanov, Alfredo Cardigliano, Antti Tönkyrä, Brandon
Sterne, Chris Speidel, Clément Galland, Dana Helwig, Daniel Humphries,
Elazar Broad, Gaurav Singh, Hilko Bengen, Nick Price, Philippe Antoine,
Renato Botelho, Thomas Andrejak, Paulo Pacheco, Henning Perl, Kirill
Shipulin, Christian Kreibich, Tilli Juha-Matti


Check out the latest training offerings at


SuriCon 2018 Vancouver is next week and it's still possible to join!

*About Suricata*

Suricata is a high performance Network Threat Detection, IDS, IPS and
Network Security Monitoring engine. Open Source and owned by a community
run non-profit foundation, the Open Information Security Foundation
(OISF). Suricata is developed by OISF, its supporting vendors and the

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list