Suricata 2.0beta1 Available!

The OISF development team is proud to announce Suricata 2.0beta1. This is the first beta release for the upcoming 2.0 version.

This release greatly improved our HTTP handling by upgrading libhtp support to 0.5.5 and by redesigning transaction handling, which increases HTTP performance as well[1]. On the performance side, a large CUDA overhaul greatly improves our GPU performance[2]. Also new in this release is a DNS parser, logger and detection support.

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0beta1.tar.gz

[1] http://www.poona.me/2013/05/suricata-transaction-engine-re-designed.html#performance
[2] http://www.poona.me/2013/06/suricata-cuda-engine-re-designed.html#performance

New features

• Luajit flow vars and flow ints support (#593)
• DNS parser, logger and keyword support (#792), funded by Emerging Threats
• deflate support for HTTP response bodies (#470, #775)

Improvements

• update to libhtp 0.5 (#775)
• improved gzip support for HTTP response bodies (#470, #775)
• redesigned transaction handling, improving both accuracy and performance (#753)
• redesigned CUDA support (#729)
• Be sure to always apply verdict to NFQ packet (#769)
• stream engine: SACK allocs should adhere to memcap (#794)
• stream: deal with multiple different SYN/ACK’s better (#796)
• stream: Randomize stream chunk size for raw stream inspection (#804)
• Introduce per stream thread ssn pool (#519)
• “pass” IP-only rules should bypass detection engine after matching (#718)
• Generate error if bpf is used in IPS mode (#777)
• Add support for batch verdicts in NFQ, thanks to Florian Westphal
• Update Doxygen config, thanks to Phil Schroeder
• Improve libnss detection, thanks to Christian Kreibich

Fixes

• Fix a FP on rules looking for port 0 and fragments (#847), thanks to Rmkml
• OS X unix socket build fixed (#830)
• bytetest, bytejump and byteextract negative offset failure (#827)
• Fix fast.log formatting issues (#771), thanks to Rmkml
• Invalidate negative depth (#774), thanks to Rmkml
• Fixed accuracy issues with relative pcre matching (#791)
• Fix deadlock in flowvar capture code (#802)
• Improved accuracy of file_data keyword (#817)
• Fix af-packet ips mode rule processing bug (#819), thanks to Laszlo Madarassy
• stream: fix injecting pseudo packet too soon leading to FP (#883), thanks to Francis Trudeau

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

• Rmkml
• Laszlo Madarassy
• Ken Steele, Tilera
• Florian Westphal
• Christian Kreibich
• Francis Trudeau
• Phil Schroeder
• Ivan Ristic
• Emerging Threats
• Coverity

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know!

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.