Softpedia >Linux >Security >Suricata >  Changelog

Suricata Changelog

What's new in Suricata 5.0.1

Dec 19, 2019
  • Bug #1871: intermittent abort()s at shutdown and in unix-socket
  • Bug #2810: enabling add request/response http headers in master
  • Bug #3047: byte_extract does not work in some situations
  • Bug #3073: AC_CHECK_FILE on cross compile
  • Bug #3103: –engine-analysis warning for flow on an icmp request rule
  • Bug #3120: nfq_handle_packet error -1 Resource temporarily unavailable warnings
  • Bug #3237: http_accept not treated as sticky buffer by –engine-analysis
  • Bug #3254: tcp: empty SACK option leads to decoder event
  • Bug #3263: nfq: invalid number of bytes reported
  • Bug #3264: EVE DNS Warning about defaulting to v2 as version is not set.
  • Bug #3266: fast-log: icmp type prints wrong value
  • Bug #3267: Support for tcp.hdr Behavior
  • Bug #3275: address parsing: memory leak in error path
  • Bug #3277: segfault when test a nfs pcap file
  • Bug #3281: Impossible to cross-compile due to AC_CHECK_FILE
  • Bug #3284: hash function for string in dataset is not correct
  • Bug #3286: TCP evasion technique by faking a closed TCP session
  • Bug #3324: TCP evasion technique by overlapping a TCP segment with a fake packet
  • Bug #3328: bad ip option evasion
  • Bug #3340: DNS: DNS over TCP transactions logged with wrong direction.
  • Bug #3341: tcp.hdr content matches don’t work as expected
  • Bug #3345: App-Layer: Not all parsers register TX detect flags that should
  • Bug #3346: BPF filter on command line not honored for pcap file
  • Bug #3362: cross compiling not affecting rust component of surrcata
  • Bug #3376: http: pipelining tx id handling broken
  • Bug #3386: Suricata is unable to get MTU from NIC after 4.1.0
  • Bug #3389: EXTERNAL_NET no longer working in 5.0 as expected
  • Bug #3390: Eve log does not generate pcap_filename when Interacting via unix socket in pcap processing mode
  • Bug #3397: smtp: file tracking issues when more than one attachment in a tx
  • Bug #3398: smtp: ‘raw-message’ option file tracking issues with multi-tx
  • Bug #3399: smb: post-GAP some transactions never close
  • Bug #3401: smb1: ‘event only’ transactions for bad requests never close
  • Bug #3411: detect/asn1: crashes on packets smaller than offset setting
  • Task #3364: configure: Rust 1.37+ has cargo-vendor support bundled into cargo.
  • Documentation #2885: update documentation to indicate -i can be used multiple times
  • Bundle Suricata-Update 1.1.1
  • Bundle Libhtp 0.5.32

New in Suricata 5.0.0 (Oct 23, 2019)

  • RDP, SNMP, FTP and SIP:
  • Three new protocol parsers and loggers, all community contributions. Zach Kelly created a Rust RDP parser, while Giuseppe Longo created SIP support. Rust master Pierre Chifflier contributed SNMP support. Since RDP and SIP were merged late in our development cycle they are disabled by default in the configuration. For FTP we have added an EVE logging facility.
  • JA3S:
  • After contributing JA3 support in Suricata 4.1, Mats Klepsland has been working on JA3S support. JA3S is now available to the rule language and in the TLS logging output.
  • Datasets:
  • Still experimental at this time, the initial work to support datasets is part of this release. It allows matching on large amounts of data. It is controlled from the rule language and will work with any ‘sticky buffer’.
  • See documentation at https://suricata.readthedocs.io/en/suricata-5.0.0/rules/datasets.html
  • We’ve already heard of people using this with millions of IOCs.
  • Documentation:
  • With the help of many community members we’ve been improving the user documentation. Please see: https://suricata.readthedocs.io/en/suricata-5.0.0/
  • HTTP evader:
  • We’ve been working hard to cover the final set of HTTP evader cases. This work has mostly gone into the bundled libhtp 0.5.31.
  • Rust:
  • The most visible is that our Rust support is no longer optional. We’re convinced that Rust is a perfect match for Suricata, and we plan to increase its footprint in our code base steadily. By making it mandatory we’re able to remove parallel implementations and focus fully on making the Rust code better.
  • Protocol Detection:
  • The protocol detection engine has been extended to provide better accuracy as well as support for dealing with asynchronous flows. These async flows are sometimes picked up in the wrong direction and the protocol detection engine can now reverse them.
  • Decoder Anomaly records in EVE:
  • A new log record type has been added: ‘anomaly’. This logs the stream and decoder events that are set by the packet decoders. This is inspired by Zeeks (Bro) ‘weird’ log.
  • EVE improvements:
  • VLAN and capture interface is now part of many more EVE records, even if they are flow records or records based on flow time out.
  • An option to log all HTTP headers to the EVE http records has been added.
  • Packet Capture:
  • Eric Leblond has been working hard to getting hardware offload support working for eBPF. On Netronome cards the eBPF based flow bypass can now be offloaded to the NIC. As eBPF is becoming a standard in the Linux space, we are hoping to see other hardware offload soon as well.
  • Netmap support has been rewritten so the more advanced features of netmap, such as vale switches, can be used now.
  • Napatech usability has been improved.
  • Rule language: Sticky Buffers:
  • As discussed at the Suricon 2018 brainstorm session, a new rule keyword scheme is being introduced. It takes the existing ‘sticky buffer’ approach with new keyword names to avoid confusion. The new scheme is < proto >.< buffer >, so for example ‘http.uri’ for the URI inspection.
  • A number of HTTP keywords have been added.
  • Unified Lua inspection mixed with the sticky buffers has also been implemented.
  • Python 3:
  • With Python 2’s EOL approaching, we’ve made sure that all Suricata’s python code is Python 3 compliant.
  • Removals:
  • Following our deprecation policy, we have removed the following parts: the plain text dns.log, the old files-json.log and support for the Tilera architecture.
  • https://suricata-ids.org/about/deprecation-policy/

New in Suricata 4.1.5 (Sep 27, 2019)

  • Feature #3068: protocol parser: vxlan (4.1.x)
  • Bug #2841: False positive alerts firing after upgrade suricata 3.0 -> 4.1.0 (4.1.x)
  • Bug #2966: filestore (v1 and v2): dropping of “unwanted” files (4.1.x)
  • Bug #3008: rust: updated libc crate causes depration warnings (4.1.x)
  • Bug #3044: tftp: missing logs because of broken tx handling (4.1.x)
  • Bug #3067: GeoIP keyword depends on now discontinued legacy GeoIP database (4.1.x)
  • Bug #3094: Fedora rawhide af-packet compilation err (4.1.x)
  • Bug #3123: bypass keyword: Suricata 4.1.x Segmentation Faults (4.1.x)
  • Bug #3129: Fixes warning about size of integers in string formats (4.1.x)
  • Bug #3159: SC_ERR_PCAP_DISPATCH with message “error code -2” upon rule reload completion (4.1.x)
  • Bug #3164: Suricata 4.1.4: NSS Shutdown triggers crashes in test mode
  • Bug #3168: tls: out of bounds read
  • Bug #3170: defrag: out of bounds read
  • Bug #3173: ipv4: ts field decoding oob read
  • Bug #3175: File_data inspection depth while inspecting base64 decoded data (4.1.x)
  • Bug #3184: decode/der: crafted input can lead to resource starvation
  • Bug #3186: Multiple Content-Length headers causes HTP_STREAM_ERROR (4.1.x)
  • Bug #3187: GET/POST HTTP-request with no Content-Length, http_client_body miss (4.1.x)

New in Suricata 4.1.4 (May 5, 2019)

  • Bug #2870: pcap logging with lz4 coverity warning
  • Bug #2883: ssh: heap buffer overflow
  • Bug #2884: mpls: heapbuffer overflow in file decode-mpls.c
  • Bug #2887: decode-ethernet: heapbuffer overflow in file decode-ethernet.c
  • Bug #2888: 4.1.3 core in HCBDCreateSpace
  • Bug #2894: smb 1 create andx request does not parse the filename correctly
  • Bug #2902: rust/dhcp: panic in dhcp parser
  • Bug #2903: mpls: cast of misaligned data leads to undefined behavior
  • Bug #2904: rust/ftp: panic in ftp parser
  • Bug #2943: rust/nfs: integer underflow
  • This release includes Suricata-Update 1.0.5

New in Suricata 4.1.1 (Dec 18, 2018)

  • New features:
  • #2637: af-packet: improve error output for BPF loading failure
  • #2671: Add Log level to suricata.log when using JSON type
  • Bundled Suricata-Update was updated to 1.0.1
  • Bugs fixed:
  • #2502: suricata.c ConfigGetCaptureValue – PCAP/AFP fallthrough to strip_trailing_plus
  • #2528: krb parser not always parsing tgs responses
  • #2633: Improve errors handling in AF_PACKET
  • #2653: llc detection failure in configure.ac
  • #2677: coverity: ja3 potential memory leak
  • #2679: build with profiling enabled on generates compile warnings
  • #2704: DNSv1 for Rust enabled builds.
  • #2705: configure: Test for PyYAML and disable suricata-update if not installed.
  • #2716: Stats interval are 1 second too early each tick
  • #2717: nfs related panic in 4.1
  • #2719: Failed Assertion, Suricata Abort – util-mpm-hs.c line 163 (4.1.x)
  • #2723: dns v2 json output should always set top-level rrtype in responses
  • #2730: rust/dns/lua – The Lua calls for DNS values when using Rust don’t behave the same as the C implementation.
  • #2731: multiple instances of transaction loggers are broken
  • #2734: unix runmode deadlock when using too many threads

New in Suricata 4.1.0 (Nov 8, 2018)

  • Protocol updates:
  • SMBv1/2/3 parsing, logging, file extraction
  • TLS 1.3 parsing and logging (Mats Klepsland)
  • JA3 TLS client fingerprinting (Mats Klepsland)
  • TFTP: basic logging (Pascal Delalande and Clément Galland)
  • FTP: file extraction
  • Kerberos parser and logger (Pierre Chifflier)
  • IKEv2 parser and logger (Pierre Chifflier)
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • HTTP: handle sessions that only have a response, or start with a response
  • HTTP Flash file decompression support (Giuseppe Longo)
  • Output and logging:
  • File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
  • Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
  • Eve: new more compact DNS record format (Giuseppe Longo)
  • Pcap directory mode: process all pcaps in a directory (Danny Browning)
  • Compressed PCAP logging (Max Fillinger)
  • Expanded XFF support (Maurizio Abba)
  • Community Flow Id support (common ID between Suricata and Bro/Zeek)
  • Packet Capture:
  • AF_PACKET XDP and eBPF support for high speed packet capture
  • Windows IPS: WinDivert support (Jacob Masen-Smith)
  • PF_RING: usability improvements
  • Misc:
  • Windows: MinGW is now supported
  • Detect: transformation keyword support
  • Bundled Suricata-Update
  • Per device multi-tenancy
  • Minor Changes since 4.1rc2
  • Coverity fixes and annotations
  • Update Suricata-Update to 1.0.0
  • Security:
  • SMTP crash issue was fixed: CVE-2018-18956
  • Robustness of defrag against FragmentSmack was improved
  • Robustness of TCP reassembly against SegmentSmack was improved

New in Suricata 4.0.5 (Jul 19, 2018)

  • Security:
  • CVE-2018-10242, CVE-2018-10244 (suricata)
  • CVE-2018-10243 (libhtp)
  • Changes:
  • Bug #2480: http eve log data source/dest flip (4.0.x)
  • Bug #2482: HTTP connect: difference in detection rates between 3.1 and 4.0.x
  • Bug #2531: yaml: ConfYamlHandleInclude memleak (4.0.x)
  • Bug #2532: memleak: when using app-layer event rules without rust
  • Bug #2533: Suricata gzip unpacker bypass (4.0.x)
  • Bug #2534: Suricata stops inspecting TCP stream if a TCP RST was met (4.0.x)
  • Bug #2535: Messages with SC_LOG_CONFIG level are logged to syslog with EMERG priority (4.0.x)
  • Bug #2537: libhtp 0.5.27 (4.0.x)
  • Bug #2540: getrandom prevents any suricata start commands on more later OS’s (4.0.x)
  • Bug #2544: ssh out of bounds read (4.0.x)
  • Bug #2545: enip out of bounds read (4.0.x)

New in Suricata 4.0.4 (Feb 19, 2018)

  • Security:
  • CVE-2018-6794 was requested for issue #2440
  • Changes:
  • Bug #2306: suricata 4 deadlocks during failed output log reopening
  • Bug #2361: rule reload hangup
  • Bug #2389: BUG_ON asserts in AppLayerIncFlowCounter (4.0.x)
  • Bug #2392: libhtp 0.5.26 (4.0.x)
  • Bug #2422: [4.0.3] af_packet: a leak that (possibly) breaks an inline channel
  • Bug #2438: various config parsing issues
  • Bug #2439: Fix timestamp offline when pcap timestamp is zero (4.0.x)
  • Bug #2440: stream engine bypass issue (4.0.x)
  • Bug #2441: der parser: bad input consumes cpu and memory (4.0.x)
  • Bug #2443: DNP3 memcpy buffer overflow (4.0.x)
  • Bug #2444: rust/dns: Core Dump with malformed traffic (4.0.x)
  • Bug #2445: http bodies / file_data: thread space creation writing out of bounds

New in Suricata 4.0.2 (Dec 27, 2017)

  • Feature #2245: decoder for ieee802.1AH traffic
  • Bug #798: stats.log in yaml config – append option – missing
  • Bug #891: detect-engine.profile does not err out in incorrect values – suricata.yaml
  • Bug #961: max pending packets variable parsing
  • Bug #1185: napatech: cppcheck warning
  • Bug #2215: Lost events writing to unix socket
  • Bug #2230: valgrind memcheck – 4.0.0-dev (rev 1180687)
  • Bug #2250: detect: mixing byte_extract and isdataat leads to FP & FN
  • Bug #2263: content matches disregarded when using dns_query on udp traffic
  • Bug #2274: ParseSizeString in util-misc.c: Null-pointer dereference
  • Bug #2275: ConfGetInt in conf.c: NULL-pointer dereference
  • Bug #2276: conf: NULL-pointer dereference in CoredumpLoadConfig
  • Bug #2293: rules: depth < content rules not rejected
  • Bug #2324: segfault in http_start (4.0.x)
  • Bug #2325: Suricata segfaults on ICMP and flowint check (4.0.x)

New in Suricata 4.0.0 (Jul 27, 2017)

  • Improved Detection:
  • Based on valuable feedback from the rule writing teams at Emerging Threats and Positive Technologies we’ve added and improved many rule keywords for inspecting HTTP, SSH and other protocols. TLS additions were contributed by Mats Klepsland at NorCERT, including decoding, logging and matching on TLS serial numbers. Additionally, Suricata now allows rule writers to specify who’s the target in a signature. This information is used in EVE JSON logging to give more context with alerts.
  • TLS improved, NFS added:
  • More on the TLS side: A major new feature is support for STARTTLS in SMTP and FTP. TLS sessions will now be logged in these cases. More goodness from Mats Klepsland. Also, TLS session resumption logging is now supported thanks to the work of Ray Ruvinskiy. Additional TLS logging improvements were done by Paulo Pacheco.
  • NFS decoding, logging and file extraction was added as part of the experimental Rust support. Read on for more information about Rust.
  • More EVE JSON:
  • EVE is extended in several ways...
  • in the case of encapsulated traffic both the inner and outer ip addresses and ports are logged
  • the ‘vars’ facility logs flowbits and other vars. This can also be used to log data extracted from traffic using a PCRE statement in rules
  • EVE can now be rotated based on time
  • EVE was extended to optionally log the HTTP request and/or response bodies
  • the (partial) flow record is added to alert records.
  • The ‘vars’ facility is one of the main improvements here, as it is now possible for a signature to accurately extract information for logging. For instance, a signature can extract an advertised software version or other information such as the recipient of an email. [https://blog.inliniac.net/2016/12/20/suricata-bits-ints-and-vars/]
  • First Step into a Safer Future:
  • This is the first release in which we’ve implemented parts in the Rust language using the Nom parser framework. This work is inspired by Pierre Chiffliers’ (ANSSI), talk at SuriCon 2016 (pdf). By compiling with –enable-rust you’ll get a basic NFS parser and a re-implementation of the DNS parser. Feedback on this is highly appreciated.
  • The Rust support is still experimental, as we are continuing to explore how it functions, performs and what it will take to support it in the community. Additionally we included Pierre Chiffliers Rust parsers work. This uses external Rust parser ‘crates’ and is enabled by using –enable-rust-experimental. Initially this adds a NTP parser.
  • Under the Hood:
  • A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode. First steps in TCP GAP recovery were taken, with implementations for DNS and NFS.
  • For developers, this release makes extending the detection engine with high performance keywords a lot easier. Adding a new high performance keyword using multi pattern matching does now requires only a few lines of code.
  • Documentation:
  • David Wharton at SecureWorks has created a section in the documentation for rule writers who have a background in Snort. It documents changes that are relevant for writing rules.
  • Next steps:
  • Based on the feedback we’ll get we’re expecting to do a 4.0.1 release in a month or so. Then we’ll start work on the next major release, which is 4.1. This is planned for late fall, ETA before SuriCon in Prague.

New in Suricata 3.2.1 (Feb 15, 2017)

  • Feature #1951: Allow building without libmagic/file
  • Feature #1972: SURICATA ICMPv6 unknown type 143 for MLDv2 report
  • Feature #2010: Suricata should confirm SSSE3 presence at runtime when built with Hyperscan support
  • Bug #467: compilation with unittests & debug validation
  • Bug #1780: VLAN tags not forwarded in afpacket inline mode
  • Bug #1827: Mpm AC fails to alloc memory
  • Bug #1843: Mpm Ac: int overflow during init
  • Bug #1887: pcap-log sets snaplen to -1
  • Bug #1946: can’t get response info in some situation
  • Bug #1973: suricata fails to start because of unix socket
  • Bug #1975: hostbits/xbits memory leak
  • Bug #1982: tls: invalid record event triggers on valid traffic
  • Bug #1984: http: protocol detection issue if both sides are malformed
  • Bug #1985: pcap-log: minor memory leaks
  • Bug #1987: log-pcap: pcap files created with invalid snaplen
  • Bug #1988: tls_cert_subject bug
  • Bug #1989: SMTP protocol detection is case sensitive
  • Bug #1991: Suricata cannot parse ports: “![1234, 1235]”
  • Bug #1997: tls-store: bug that cause Suricata to crash
  • Bug #2001: Handling of unsolicited DNS responses.
  • Bug #2003: BUG_ON body sometimes contains side-effectual code
  • Bug #2004: Invalid file hash computation when force-hash is used
  • Bug #2005: Incoherent sizes between request, capture and http length
  • Bug #2007: smb: protocol detection just checks toserver
  • Bug #2008: Suricata 3.2, pcap-log no longer works due to timestamp_pattern PCRE
  • Bug #2009: Suricata is unable to get offloading settings when run under non-root
  • Bug #2012: dns.log does not log unanswered queries
  • Bug #2017: EVE Log Missing Fields
  • Bug #2019: IPv4 defrag evasion issue
  • Bug #2022: dns: out of bound memory read

New in Suricata 3.2 (Dec 2, 2016)

  • Big changes:
  • bypass
  • pre-filter — fast packet keywords
  • TLS improvements
  • SCADA/ICS protocol additions: DNP3 CIP/ENIP
  • SHA1/SHA256 for file matching, logging & extraction
  • Sphinx documentation
  • Visible smaller changes:
  • NIC offloading disabled by default
  • unix command socket enabled by default
  • App Layer stats
  • Under the hood:
  • threading simplification (log api + no more thread restarts)
  • flow manager optimization
  • simplify adding keywords
  • luajit improvements wrt memory handling in large deployments

New in Suricata 3.1.2 (Sep 7, 2016)

  • Feature #1830: support ‘tag’ in eve log
  • Feature #1870: make logged flow_id more unique
  • Feature #1874: support Cisco Fabric Path / DCE
  • Feature #1885: eve: add option to log all dropped packets
  • Feature #1886: dns: output filtering
  • Bug #1849: ICMPv6 incorrect checksum alert if Ethernet FCS is present
  • Bug #1853: fix dce_stub_data buffer
  • Bug #1854: unified2: logging of tagged packets not working
  • Bug #1856: PCAP mode device not found
  • Bug #1858: Lots of TCP ‘duplicated option/DNS malformed request data’ after upgrading from 3.0.1 to 3.1.1
  • Bug #1878: dns: crash while logging sshfp records
  • Bug #1880: icmpv4 error packets can lead to missed detection in tcp/udp
  • Bug #1884: libhtp 0.5.22

New in Suricata 3.1.1 (Jul 13, 2016)

  • Feature #1775: Lua: SMTP-support
  • Bug #1419: DNS transaction handling issues
  • Bug #1515: Problem with Threshold.config when using more than one IP
  • Bug #1664: Unreplied DNS queries not logged when flow is aged out
  • Bug #1808: Can’t set thread priority after dropping privileges
  • Bug #1821: Suricata 3.1 fails to start on CentOS6
  • Bug #1839: suricata 3.1 configure.ac says >=libhtp-0.5.5, but >=libhtp-0.5.20 required
  • Bug #1840: –list-keywords and –list-app-layer-protos not working
  • Bug #1841: libhtp 0.5.21
  • Bug #1844: netmap: IPS mode doesn’t set 2nd iface in promisc mode
  • Bug #1845: Crash on disabling a app-layer protocol when it’s logger is still enabled
  • Optimization #1846: af-packet: improve thread calculation logic
  • Optimization #1847: rules: don’t warn on empty files

New in Suricata 3.1 (Jun 29, 2016)

  • This release brings significant improvements on the performance side:
  • Hyperscan integration for Multi Pattern Matcher and Single Pattern Matcher. If installed, Hyperscan is now the default.
  • Rewrite of the detection engine, simplifying rule grouping. This improves performance, while reducing memory usage and start up time in many scenarios.
  • Packet capture got a lot of attention:
  • AF_PACKET support for tpacket-v3 (experimental)
  • NETMAP usability improvements, especially on FreeBSD
  • Config:
  • Reorganised default configuration layout provides for intuitive and easy set up.
  • This release also comes with libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.
  • A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.
  • Other than that, lots of clean ups and optimizations:
  • locking has been much simplified
  • TCP and IPv6 decoder optimizations
  • unittest clean ups
  • AFL fuzz testing options were added

New in Suricata 3.0 (Jan 28, 2016)

  • improved detection options, including multi-tenancy and xbits
  • performance and scalability much improved
  • much improved accuracy and robustness
  • Lua scripting capabilities expanded significantly
  • many output improvements, including much more JSON
  • NETMAP capture method support, especially interesting to FreeBSD users
  • SMTP inspection and file extraction

New in Suricata 2.0.11 (Dec 22, 2015)

  • Bug #1572: 2.0.8 FlowGetKey flow-hash.c:240 segmentation fault (icmp destination unreachable)
  • Bug #1637: drop log crashes
  • Bug #1639: 2.0.x: Fix non thread safeness of Prelude analyzer
  • Bug #1649: DER parsing issue
  • Bug #1651: HTTP body tracking using excessive memory
  • Bug #1652: SMTP parsing issue (2.0.x)
  • Bug #1653: DNS over TCP parsing issue (2.0.x)
  • Bug #1654: TCP reassembly bug (2.0.x)

New in Suricata 2.0.7 (Mar 1, 2015)

  • Changes:
  • Bug #1385: DCERPC traffic parsing issue
  • Bug #1391: http uri parsing issue
  • Bug #1383: tcp midstream window issue
  • Bug #1318: A thread-sync issue in streamTCP
  • Bug #1375: Regressions in list keywords option
  • Bug #1387: pcap-file hangs on systems w/o atomics support
  • Bug #1395: dump-counters unix socket command failure
  • Optimization #1376: file list is not cleaned up
  • Security:
  • The DCERPC parsing issue has CVE-2015-0928 assigned to it.

New in Suricata 2.0.6 (Jan 18, 2015)

  • Bug #1364: evasion issues
  • Bug #1337: output-json: duplicate logging
  • Bug #1325: tls detection leads to tcp stream reassembly sequence gaps (IPS)
  • Bug #1192: Suricata does not compile on OS X/Clang due to redefinition of string functions
  • Bug #1183: pcap: cppcheck warning

New in Suricata 2.0.5 (Dec 12, 2014)

  • Bug #1190: http_header keyword not matching when SYN|ACK and ACK missing
  • Bug #1246: EVE output Unix domain socket not working
  • Bug #1272: Segfault in libhtp 0.5.15
  • Bug #1298: Filestore keyword parsing issue
  • Bug #1303: improve stream ‘bad window update’ detection
  • Bug #1304: improve stream handling of bad SACK values
  • Bug #1305: fix tcp session reuse for ssh/ssl sessions
  • Bug #1307: byte_extract, within combination not working
  • Bug #1326: pcre pkt/flowvar capture broken for non-relative matches
  • Bug #1329: Invalid rule being processed and loaded
  • Bug #1330: Flow memuse bookkeeping error (2.0.x)

New in Suricata 2.0.4 (Sep 24, 2014)

  • Changes:
  • Bug #1276: ipv6 defrag issue with routing headers
  • Bug #1278: ssh banner parser issue
  • Bug #1254: sig parsing crash on malformed rev keyword
  • Bug #1267: issue with ipv6 logging
  • Bug #1273: Lua – http.request_line not working
  • Bug #1284: AF_PACKET IPS mode not logging drops and stream inline issue
  • Security:
  • CVE-2014-6603

New in Suricata 2.0.3 (Aug 8, 2014)

  • Bug #1236: fix potential crash in http parsing
  • Bug #1244: ipv6 defrag issue
  • Bug #1238: Possible evasion in stream-tcp-reassemble.c
  • Bug #1221: lowercase conversion table missing last value
  • Support #1207: Cannot compile on CentOS 5 x64 with –enable-profiling
  • Updated bundled libhtp to 0.5.15

New in Suricata 2.0 RC1 (Feb 14, 2014)

  • Unified JSON output was added. VLAN handling was improved.
  • QinQ support was added.
  • A commandline option for overriding configuration settings was added.
  • ICMPv6 handling was improved.
  • Memcaps for DNS and HTTP handling were added.
  • Several packet capture improvements were made.
  • An optimized NSM runmode was added.
  • Many other issues were fixed.

New in Suricata 2.0 Beta 2 (Dec 19, 2013)

  • VLAN support was improved.
  • IP Defrag options were added.
  • Options were added for enabling and disabling protocol parsers.
  • Protocol detection was improved.
  • IPv6 improvements were made.
  • HTTP inspection was improved.
  • Profiling options were expanded.
  • Many more changes were made.

New in Suricata 1.4.7 (Dec 17, 2013)

  • Fixes:
  • Bug #996: tag keyword: tagging sessions per time is broken
  • Bug #1000: delayed detect inits thresholds before de_ctx
  • Bug #1001: ip_rep loading problem with multiple values for a single ip
  • Bug #1022: StreamTcpPseudoPacketSetupHeader : port swap logic isn’t consistent
  • Bug #1047: detect-engine.profile – custom value parsing broken
  • Bug #1063: rule ordering with multiple vars

New in Suricata 1.4.6 (Sep 25, 2013)

  • Bug 958: malformed SSL records leading to crash. Reported by Sebastian Roschke. CVE-2013-5919.
  • Bug 971: AC pattern matcher out of bounds memory read.
  • Bug 965: improve negated content handling. Reported by Will Metcalf.
  • Bug 937: fix IPv6-in-IPv6 decoding.
  • Bug 934: improve address parsing.
  • Bug 969: fix unified2 not logging tagged packets.

New in Suricata 1.4.5 (Jul 27, 2013)

  • IPv6 issues were fixed.

New in Suricata 1.4.4 (Jul 19, 2013)

  • Bug #834: Unix socket – showing as compiled when it is not desired to do so
  • Bug #841: configure –enable-unix-socket does not err out if libs/pkgs are not present
  • Bug #846: FP on IP frag and sig using udp port 0, thanks to Rmkml
  • Bug #864: fix pass action not working correctly in all cases, thanks Kevin Branch
  • Bug #876: http connect tunnel crash fixed
  • Bug #877: Flowbit check with content doesn’t match consistently, thanks to Francis Trudeau

New in Suricata 1.4.3 (Jun 21, 2013)

  • A case of missed detection in bytetest, bytejump, and byteextract was fixed.
  • Tunneled packets can now be dropped properly in IPS mode.
  • The OS X build was fixed.

New in Suricata 1.4.2 (May 30, 2013)

  • Several accuracy issues were fixed.

New in Suricata 1.4.1 (Mar 9, 2013)

  • The GeoIP keyword was added.
  • HTTP host header matching was added.
  • New Unix socket commands were added.
  • Napatech support was improved.
  • IPFW support was improved.
  • HTTP query string normalization was improved.
  • Many issues were fixed.

New in Suricata 1.3.6 (Mar 8, 2013)

  • fix decoder event rules not checked in all cases (#671)
  • checksum detection for icmpv6 was fixed (#673)
  • crash in HTTP server body inspection code fixed (#675)
  • fixed a icmpv6 payload bug (#676)
  • IP-only rule ip_proto not matching for some protocols was addressed (#690)
  • fixed malformed yaml crashing suricata (#702)
  • parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#717)
  • crash in tls parser was fixed (#759)
  • fixed UDPv4 packets without checksum being detected as invalid (#762)
  • fixed DCE/SMB parsers getting confused in some fragmented cases (#763)

New in Suricata 1.4 (Dec 14, 2012)

  • Interactive Unix Socket mode was added.
  • IP Reputation support was added.
  • A Lua scripting detection keyword was added.
  • IP Defrag engine performance was much improved.
  • Global thresholding was improved.
  • AF_PACKET IPS mode support was added.
  • File log output was improved.
  • HTTP inspection was made more configurable.
  • Live packet capture stats support was added.
  • The stream reassembly engine was improved.
  • TLS cert logging, storing, and fingerprint matching was added.
  • Support for decoding various tunnel protocols was added.
  • Delayed detection engine initialization support was added.

New in Suricata 1.3.5 (Dec 7, 2012)

  • This version fixes a major flow engine memory leak, a case in which unified2 could overwrite its own alert files, and the Windows build.

New in Suricata 1.4 RC1 (Nov 30, 2012)

  • Interactive Unix Socket mode was added.
  • IP Reputation support was added.
  • Command line options were improved.
  • The rule analyzer was improved.
  • File log output was improved.
  • Endace DAG card live stats support was added.
  • A new HTTP event was added.
  • Many issues were fixed.

New in Suricata 1.4 Beta 3 (Nov 15, 2012)

  • Napatech capture card support was improved.
  • Support for the pkt_data keyword was added.
  • HTTP inspection was made more configurable.
  • Live packet capture stats support was added.
  • The stream reassembly engine was improved.
  • Performance enhancements were made.
  • The rule analyzer was improved.
  • Many issues were fixed

New in Suricata 1.3.3 (Nov 2, 2012)

  • This version fixes several accuracy and stability issues, serveral false positives, and a file extraction corruption bug.

New in Suricata 1.4 Beta 2 (Oct 5, 2012)

  • A Lua scripting detection keyword was added.
  • Per-server HTTP parsing settings were made much more configurable.
  • IP Defrag engine performance was much improved.
  • Global thresholding was improved.
  • Rule profiling performance was improved.
  • Many other performance enhancements were made.
  • Many issues were fixed.

New in Suricata 1.3.2 (Oct 4, 2012)

  • Several accuracy issues were fixed.
  • HTTP multipart parsing bugs were fixed.
  • Several packet acquisition bugs were fixed.
  • A stream engine bug was fixed.

New in Suricata 1.4 Beta 1 (Sep 7, 2012)

  • AF_PACKET IPS mode support was added.
  • Custom HTTP logging was added.
  • TLS cert logging, storing, and fingerprint matching was added.
  • Support for decoding various tunnel protocols was added.
  • NFQ fail-open support was added.
  • A rule option for limiting inspection to IPv4 or IPv6 was added.
  • The filesize keyword was added.
  • Delayed detection engine initialization support was added.
  • Various performance improvements were made.

New in Suricata 1.3.1 (Aug 22, 2012)

  • AF_PACKET performance was much improved.
  • Defrag engine performance was improved.
  • HTTP URI double decoding handling was made configurable.
  • The stream engine was made more robust.
  • The Windows build was fixed.
  • Various other issues were fixed.

New in Suricata 1.3 RC1 (Jun 30, 2012)

  • This version adds live rule reload support, AF_PACKET bpf support, a rule analyzer, improved file MD5 matching, a keyword to match on User-Agent in HTTP, and general accuracy and stability improvements.

New in Suricata 1.3 Beta 2 (Jun 9, 2012)

  • This version adds a rule keyword to match files against large MD5 blacklists, improves performance, supports PF_RING 5.4.x, and fixes various bugs.

New in Suricata 1.3 Beta 1 (Apr 5, 2012)

  • TLS handshake decoder and detection keywords were added.
  • Napatech capture card support was added.
  • Md5 calculation for files was added.
  • File log was added.
  • HTTP CONNECT handling was improved.
  • IPv6 issues were fixed.
  • Major scalability improvements were made.

New in Suricata 1.2.1 (Jan 23, 2012)

  • Writing of malformed unified2 log records was fixed.
  • TCP timeout handling was improved.

New in Suricata 1.2 (Jan 20, 2012)

  • PCAP live runmodes were fixed.
  • CPU affinity settings for live runmodes were fixed.
  • Windows/Cygwin path handling was improved.

New in Suricata 1.2 RC1 (Jan 12, 2012)

  • Auto-detection of interfaces with checksum offloading was added.
  • HTTP and SMTP parser event matching was added.
  • Unixsock output options were added.
  • Performance was improved.
  • IPS mode was improved.
  • File inspection and extraction was improved.

New in Suricata 1.1 RC1 (Nov 6, 2011)

  • Extended HTTP request logging was added.
  • AF_PACKET drop stats were added.
  • Flow and stream engine counters were added.
  • SMTP and HTTP parsers were improved.
  • Prelude output was improved.
  • Stability and accuracy were improved.

New in Suricata 1.1 Beta 3 (Oct 26, 2011)

  • Support for AF_PACKET, replace keyword, workers runmode, event suppression, and byte_extract was added.
  • Accuracy and performance was greatly improved. Stability and memory hygiene were improved.

New in Suricata 1.0.5 (Jul 25, 2011)

  • A stream engine bug was fixed.
  • Various issues found by the Coverity source code analyzers were fixed.

New in Suricata 1.0.4 (Jun 27, 2011)

  • LibHTP updated to 0.2.6
  • Large number of (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.
  • Large number of (potential) issues fixed after source code scans with the Clang static analyzer.

New in Suricata 1.1 Beta 1 (Dec 22, 2010)

  • Support for http_raw_header, http_stat_msg, and http_stat_code was added.
  • A new default pattern matcher was added.
  • Reference.config support was added.
  • Performance was much improved.
  • Fast_pattern support was improved.

New in Suricata 1.0.2 (Sep 3, 2010)

  • An SSH module was added.
  • Several TCP evasions were fixed.
  • Language compatibility was improved.
  • HTTP detection accuracy was improved.
  • Inline mode was improved.

New in Suricata 1.0.2 (Sep 3, 2010)

  • An SSH module was added.
  • Several TCP evasions were fixed.
  • Language compatibility was improved.
  • HTTP detection accuracy was improved.
  • Inline mode was improved.

New in Suricata 1.0.1 (Jul 31, 2010)

  • Major detection accuracy improvements.
  • ip_proto keyword was fixed for malformed packets.
  • Fix a TCP RST packet evasion issue (http://www.packetstan.com/2010/06/recently ive-been-on-campaign-to-make.html)
  • Stream reassembly improvements.

New in Suricata 1.0.0 (Jul 2, 2010)

  • This version adds support for tag keywords,, support for DCERPC over UDP, duplicate signature detection, and improved CUDA support, URI inspection, stability, and performance.

New in Suricata 0.9.2 (Jun 24, 2010)

  • Support was added for DAG cards, reassembled stream scanning, the http_uri keyword, dce keywords, and ratefilter.
  • Support was improved for uricontent, asn1, and threshold.
  • Memory leaks were fixed. Performance was improved.

New in Suricata 0.9.0 (May 26, 2010)

  • New features:
  • Support for the http_headers keyword was added
  • libhtp was updated to version 0.2.3
  • Privilege dropping using libcap-ng is now supported
  • Proper support for "pass" rules was added
  • Inline mode for Windows was added
  • Improvements:
  • A regression in the detection engine causing false negatives was fixed
  • Many accuracy and stability improvements have been made