Suricata 6.0.0 Released

Posted on | by inliniac

We are proud to announce Suricata 6.0. This major new release is the result of a year of work by the OISF development team and the Suricata community.

During this development cycle, the focus has been on:

  • stability and robustness
  • performance
  • support for new protocols like HTTP/2, MQTT and RFB
  • improvements to existing protocols DCERPC, SSH
  • extendibility
  • improvements to detection capabilities

Get the release here:
https://www.openinfosecfoundation.org/downloads/suricata-6.0.0.tar.gz

This release comes with libhtp 0.5.35 and Suricata-Update 1.2.0

Power of the community

A lot of the features and improvements have been made by community members:

  • MQTT (Sascha Steinbiss)
  • RFB (Frank Honza)
  • HASSH (Vadym Malakhatko)
  • ASN.1 Rust (Pierre Chifflier and Emmanuel Thompson)
  • cbindgen (Danny Browning)
  • nom 5 conversion (Pierre Chifflier)
  • Napatech bypass support (Phil Young)
  • MAC address logging in EVE (Sascha Steinbiss)
  • Geneve decoder (Ali Jad Khalil)
  • more detailed DNS logging (Simon Dugas)

List of git committers: Pierre Chifflier, Sascha Steinbiss, Emmanuel Thompson, Todd Mortimer, Vadym Malakhatko, Phil Young, Roland Fischer, Simon Dugas, Jason Taylor, Ali Jad Khalil, James Dutrisac, Joshua Lumb, Zach Kelly, Angelo Mirabella, Antti Tönkyrä, Carl Smith, Danny Browning,
Frank Honza, Giuseppe Longo, Ilya Bakhtin, Odin Jenseg, Stephen Donnelly,
Timo Sigurdsson, Tristan Fletcher, William Stearns, Xiaofan Wang,
Zackeus Bengtsson

Other contributors we’d like to especially thank: David Beckett for HTTP/2 testing and pcaps; Bastien Delvalle and Louis Jacotot (Telecom Nancy) for SMB evasion research and testcases.

Notable Optimizations

  • faster EVE log generation using our own Rust language JSON string builder
  • much better EVE log scaling by allowing a log file per thread
  • flow engine improvments – esp when under resource constraints

Securing Suricata

  • ASN1 handling is now entirely done in Rust code
  • DCERPC, SSH have been reimplemented in Rust
  • new protocols have been implemented in Rust
  • many fixes as a result of OSS-Fuzz testing

Rule language

  • from_end support for byte_jump keyword
  • bitmask support for byte_test keyword
  • byte_math support
  • flowbit OR support
  • pcrexform keyword: use pcre with substring capture as a transform
  • urldecode transform was added

For developers

  • Use cbindgen to create Rust-C bindings (Danny Browning)
  • initial plugin support
  • libfuzzer (OSS-Fuzz) support
  • clang-format support (Roland Fischer)

Removals

  • unified2 has been removed
  • filestore v1 has support has been removed
  • drop log

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.