The OISF’s Suricata development team is proud to announce Suricata 5.0.0. This release brings many new features and improvements.
RDP, SNMP, FTP and SIP
Three new protocol parsers and loggers, all community contributions. Zach Kelly created a Rust RDP parser, while Giuseppe Longo created SIP support. Rust master Pierre Chifflier contributed SNMP support. Since RDP and SIP were merged late in our development cycle they are disabled by default in the configuration. For FTP we have added an EVE logging facility.
JA3S
After contributing JA3 support in Suricata 4.1, Mats Klepsland has been working on JA3S support. JA3S is now available to the rule language and in the TLS logging output.
Datasets
Still experimental at this time, the initial work to support datasets is part of this release. It allows matching on large amounts of data. It is controlled from the rule language and will work with any ‘sticky buffer’.
See documentation at https://suricata.readthedocs.io/en/suricata-5.0.0/rules/datasets.html
We’ve already heard of people using this with millions of IOCs.
Documentation
With the help of many community members we’ve been improving the user documentation. Please see: https://suricata.readthedocs.io/en/suricata-5.0.0/
HTTP evader
We’ve been working hard to cover the final set of HTTP evader cases. This work has mostly gone into the bundled libhtp 0.5.31.
Rust
The most visible is that our Rust support is no longer optional. We’re convinced that Rust is a perfect match for Suricata, and we plan to increase its footprint in our code base steadily. By making it mandatory we’re able to remove parallel implementations and focus fully on making the Rust code better.
Protocol Detection
The protocol detection engine has been extended to provide better accuracy as well as support for dealing with asynchronous flows. These async flows are sometimes picked up in the wrong direction and the protocol detection engine can now reverse them.
Decoder Anomaly records in EVE
A new log record type has been added: ‘anomaly’. This logs the stream and decoder events that are set by the packet decoders. This is inspired by Zeeks (Bro) ‘weird’ log.
EVE improvements
VLAN and capture interface is now part of many more EVE records, even if they are flow records or records based on flow time out.
An option to log all HTTP headers to the EVE http records has been added.
Packet Capture
Eric Leblond has been working hard to getting hardware offload support working for eBPF. On Netronome cards the eBPF based flow bypass can now be offloaded to the NIC. As eBPF is becoming a standard in the Linux space, we are hoping to see other hardware offload soon as well.
Netmap support has been rewritten so the more advanced features of netmap, such as vale switches, can be used now.
Napatech usability has been improved.
Rule language: Sticky Buffers
As discussed at the Suricon 2018 brainstorm session, a new rule keyword scheme is being introduced. It takes the existing ‘sticky buffer’ approach with new keyword names to avoid confusion. The new scheme is <proto>.<buffer>, so for example ‘http.uri’ for the URI inspection.
A number of HTTP keywords have been added.
Unified Lua inspection mixed with the sticky buffers has also been implemented.
Python 3
With Python 2’s EOL approaching, we’ve made sure that all Suricata’s python code is Python 3 compliant.
Removals
Following our deprecation policy, we have removed the following parts: the plain text dns.log, the old files-json.log and support for the Tilera architecture.
https://suricata-ids.org/about/deprecation-policy/