This release brings significant improvements on the performance side:
- Hyperscan integration for Multi Pattern Matcher and Single Pattern Matcher. If installed, Hyperscan is now the default.
- Rewrite of the detection engine, simplifying rule grouping. This improves performance, while reducing memory usage and start up time in many scenarios.
Packet capture got a lot of attention:
- AF_PACKET support for tpacket-v3 (experimental)
- NETMAP usability improvements, especially on FreeBSD
- Reorganised default configuration layout provides for intuitive and easy set up.
This release also comes with libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.
A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.
Other than that, lots of clean ups and optimizations:
- locking has been much simplified
- TCP and IPv6 decoder optimizations
- unittest clean ups
- AFL fuzz testing options were added
Have a look at the full change log
Changes since 3.1RC1
- AF_PACKETv2 is the default as v3 is still experimental
- NFQ runmode workers was fixed
Get the release here:
Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan
Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich
Known issues & missing features
In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on. See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.
Join us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/
Training & Support
Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see http://suricata-ids.org/training/
For support options also see http://suricata-ids.org/support/
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.