We’re happy to present the first beta in the upcoming Suricata 5.0 series. In 5.0 we’re making a couple of large changes.
The most visible is that our Rust support is no longer optional. We’re convinced that Rust is a perfect match for Suricata, and we plan to increase its footprint in our code base steadily. By making it mandatory we’re able to remove parallel implementations and focus fully on making the Rust code better.
The protocol detection engine has been extended to provide better accuracy as well as support for dealing with asynchronous flows. These async flows are sometimes picked up in the wrong direction and the protocol detection engine can now reverse them.
Decoder Anomaly records in EVE
A new log record type has been added: ‘anomaly’. This logs the stream and decoder events that are set by the packet decoders. This is inspired by Zeeks (Bro) ‘weird’ log.
VLAN and capture interface is now part of many more EVE records, even if they are flow records or records based on flow time out.
An option to log all HTTP headers to the EVE http records has been added.
Netmap support has been rewritten so the more advanced features of netmap, such as vale switches, can be used now.
Napatech usability has been improved.
Rule language: Sticky Buffers (in progress)
As discussed at the Suricon 2018 brainstorm session, a new rule keyword scheme is being introduced. It takes the existing ‘sticky buffer’ approach with new keyword names to avoid confusion. The new scheme is <proto>.<buffer>, so for example ‘http.uri’ for the URI inspection.
A number of HTTP keywords have been added.
Unified Lua inspection mixed with the sticky buffers has also been implemented.
With Python 2’s EOL approaching, we’ve made sure that all Suricata’s python code is Python 3 compliant.
Following our deprecation policy, we have removed the following parts: the plain text dns.log, the old files-json.log and support for the Tilera architecture.
Many more things
We’re planning the first release candidate in about a month, with the final about a month later. So early July.
If you’re interested in helping out, we’d be happy to accept patches, documentation, test reports and other kind of feedback.