In the default configuration Suricata-Update will download the ET Open ruleset. In the Suricata 5.0 optimized version, JA3 rules are added and enabled by default. See below for instructions on how to disable these rules with Suricata-Update.
The new default configuration has a number of extra EVE loggers enabled by default. These are the ‘anomaly’ logger, and loggers for the snmp, ftp protocols. In 4.1 Rust was optional, unlike in 5.0. This means that loggers for smb, nfs, tftp, ikev2, krb5 are now also enabled by default. As a result, logging volume may be higher than expected. Logging for these protocols can be enabled/disabled in the eve-log section in the suricata.yaml.
When using Suricata with ET (Open or Pro) rules managed by Suricata-Update, the ruleset will automatically switch to the 5.0 version of the ruleset. This has a number of consequences.
- The ET 5.0 ruleset use a different classification scheme. Suricata 5.0 will issue warnings if rules use an unknown classtype. Update your classification.config from the one Suricata 5.0 ships or the ET ruleset version to suppress these warnings.
- If JA3 is enabled in the Suricata configuration (or not specified), the ET5 JA3 rules will be enabled by Suricata-Update. These rules have been quite noisy in the past. If they are alerting too frequently, the rules can be disabled in Suricata-Update.
Read more about upgrading https://suricata.readthedocs.io/en/latest/upgrade.html
Telling Suricata-Update to disable JA3 rules
- By filename. If all the JA3 rules are in a specific file like you find in ET Open and ET Pro, you can use Suricata update to disable all files in a rule. In /etc/suricata/disable.conf add the line: filename: rules/emerging-ja3.rules
- By regular expression. As all the rules we see in the ET Open and Pro ruleset are using the ja3_hash keyword, we can disable JA3 rules by using a regular expression looking for the ja3_keyword. This has the benefit of matching across all filenames. In your /etc/suricata/disable.conf, add the line: re: ja3_hash;
EVE DNS Logging
Suricata 5.0 will default to the version 2 style of DNS logging in EVE if a version is not provided in the configuration. This is something to note if you are upgrading from 4.0, or 4.1 without Rust, as your EVE DNS log format will change. To continue using the version 1 format, you must update your configuration to include “version: 1”. See the documentation at https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format for more information. However, we recommend moving to the version 2 style output, as it is more compact, and where enhancements to DNS logging will occur.
To see what issues are already reported, see https://redmine.openinfosecfoundation.org/versions/138. If you run into an issue that isn’t listed, please open a new ticket.