Suricata 6.0.0 beta 1 released

Posted on | by inliniac

We’re happy to announce Suricata 6.0.0 beta 1. This is a test version for a new major feature release of Suricata.

Originally planned to be released as a release candidate we wanted to get a few more interesting things in that are still a bit rough around the edges. So the plan is now to release 6.0RC1 early September and then the final late September.

We are hoping for some of you to take this beta and test it in your environment and report any issues to us.

Get the release here:
https://www.openinfosecfoundation.org/downloads/suricata-6.0.0-beta1.tar.gz

Major changes

– initial HTTP/2 support
– DCERPC logging
– much improved EVE logging performance
– RFB and MQTT protocol support, including detection and logging
– HASSH support
– conditional logging

Power of the community

Several features and improvements have been made by community members:

– MQTT (Sascha Steinbiss)
– RFB (Frank Honza)
– HASSH (Vadym Malakhatko)
– ASN.1 Rust (Pierre Chifflier and Emmanuel Thompson)
– cbindgen (Danny Browning)
– nom 5 conversion (Pierre Chifflier)
– Napatech bypass support (Phil Young)
– MAC address logging in EVE (Sascha Steinbiss)

List of git committers:

Pierre Chifflier, Sascha Steinbiss, Emmanuel Thompson, Todd Mortimer,
Phil Young, Vadym Malakhatko, Jason Taylor, James Dutrisac, Zach Kelly,
Joshua Lumb, Angelo Mirabella, Antti Tönkyrä, Danny Browning,
Frank Honza, Giuseppe Longo, Roland Fischer, Stephen Donnelly,
Timo Sigurdsson, Tristan Fletcher, William Stearns, Xiaofan Wang,
Zackeus Bengtsson

Notable Optimizations

– faster EVE log generation using our own Rust language JSON string builder
– much better EVE log scaling by allowing a log file per thread
– flow engine improvments – esp when under resource constraints

Removals

– unified2 has been removed
– filestore v1 has support has been removed
– drop log

Securing Suricata

– ASN1 handling is now entirely done in Rust code
– DCERPC, SSH have been reimplemented in Rust
– new protocols have been implemented in Rust

Rule language

– from_end support for byte_jump keyword
– bitmask support for byte_test keyword
– byte_math support
– flowbit OR support
– pcrexform keyword: use pcre with substring capture as a transform
– urldecode transform was added

For developers

– Use cbindgen to create Rust-C bindings (Danny Browning)
– initial plugin support
– libfuzzer (oss-fuzz) support

Forums

Join our new Forum at https://forum.suricata.io/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.