Suricata v1.1 ID/PS Released
Suricata is a rule-based ID/PS engine that utilises externally developed rule sets to monitor network traffic and provide alerts to the system administrator when suspicious events occur. Designed to be compatible with existing network security components, Suricata features unified output functionality and pluggable library options to accept calls from other applications.
Changelog v1.1
Notable Improvements
- performance improvements
- – new default pattern matcher
- – multi pattern matcher inspection of HTTP buffers
- – improved running modes
- accuracy was greatly improved
- improved logging
- – extended HTTP logging
- – support of stream event logging
- IPS improvements
- – inline mode for stream engine
- – new keyword and running options for Netfilter based IPS
- removal of the unified1 output plugins (#353)
New features
- new keywords ssl_state, ssl_version (#258, #262).
- support for http_raw_header, http_stat_msg, http_stat_code and http_raw_uri keywords (#259, #260).
- new keyword support: nfq_set_mark
- support for suppress keyword was added (#274)
- byte_extract keyword support was added
- new default pattern matcher, Aho-Corasick based, that uses much less memory and performs better
- fast_pattern & multi pattern matching support for HTTP buffers
- extended HTTP request logging for use with (among other things) http_agent for Sguil (#38)
- new counters in stats.log for flow and stream engines (#348)
- AF_PACKET support for high speed packet capture
- advanced and fine tuning of CPU affinity setting for enhanced multicore performances
- “replace” keyword support for IPS mode (#303)
- new “workers” runmode for multi-dev and/or clustered PF_RING, AF_PACKET, pcap
- added “stream-event” keyword to match on TCP session anomalies
- Inline mode for the stream engine (#230, #248)
- Included an example decoder-events.rules file
- pcap logging / recording output was added
- basic SCTP protocol parsing was added
- reference.config support as supplied by ET/ETpro and VRT
- smtp protocol parser and protocol detection was added
- better handling of detection for timed out TCP sessions
- improved protocol detection accuracy with additional support for port based detection
Fixes since 1.1rc1
- CUDA build fixed
- minor pcap, AF_PACKET and PF_RING fixes (#368)
- bpf handling fix
- Windows CYGWIN build
- more cleanups
Download Suricata v1.1