Suricata Changelog

New in version 2.0.7

March 1st, 2015
  • Changes:
  • Bug #1385: DCERPC traffic parsing issue
  • Bug #1391: http uri parsing issue
  • Bug #1383: tcp midstream window issue
  • Bug #1318: A thread-sync issue in streamTCP
  • Bug #1375: Regressions in list keywords option
  • Bug #1387: pcap-file hangs on systems w/o atomics support
  • Bug #1395: dump-counters unix socket command failure
  • Optimization #1376: file list is not cleaned up
  • Security:
  • The DCERPC parsing issue has CVE-2015-0928 assigned to it.

New in version 2.0.6 (January 18th, 2015)

  • Bug #1364: evasion issues
  • Bug #1337: output-json: duplicate logging
  • Bug #1325: tls detection leads to tcp stream reassembly sequence gaps (IPS)
  • Bug #1192: Suricata does not compile on OS X/Clang due to redefinition of string functions
  • Bug #1183: pcap: cppcheck warning

New in version 2.0.5 (December 12th, 2014)

  • Bug #1190: http_header keyword not matching when SYN|ACK and ACK missing
  • Bug #1246: EVE output Unix domain socket not working
  • Bug #1272: Segfault in libhtp 0.5.15
  • Bug #1298: Filestore keyword parsing issue
  • Bug #1303: improve stream ‘bad window update’ detection
  • Bug #1304: improve stream handling of bad SACK values
  • Bug #1305: fix tcp session reuse for ssh/ssl sessions
  • Bug #1307: byte_extract, within combination not working
  • Bug #1326: pcre pkt/flowvar capture broken for non-relative matches
  • Bug #1329: Invalid rule being processed and loaded
  • Bug #1330: Flow memuse bookkeeping error (2.0.x)

New in version 2.0.4 (September 24th, 2014)

  • Changes:
  • Bug #1276: ipv6 defrag issue with routing headers
  • Bug #1278: ssh banner parser issue
  • Bug #1254: sig parsing crash on malformed rev keyword
  • Bug #1267: issue with ipv6 logging
  • Bug #1273: Lua – http.request_line not working
  • Bug #1284: AF_PACKET IPS mode not logging drops and stream inline issue
  • Security:
  • CVE-2014-6603

New in version 2.0.3 (August 8th, 2014)

  • Bug #1236: fix potential crash in http parsing
  • Bug #1244: ipv6 defrag issue
  • Bug #1238: Possible evasion in stream-tcp-reassemble.c
  • Bug #1221: lowercase conversion table missing last value
  • Support #1207: Cannot compile on CentOS 5 x64 with –enable-profiling
  • Updated bundled libhtp to 0.5.15

New in version 2.0 RC1 (February 14th, 2014)

  • Unified JSON output was added. VLAN handling was improved.
  • QinQ support was added.
  • A commandline option for overriding configuration settings was added.
  • ICMPv6 handling was improved.
  • Memcaps for DNS and HTTP handling were added.
  • Several packet capture improvements were made.
  • An optimized NSM runmode was added.
  • Many other issues were fixed.

New in version 2.0 Beta 2 (December 19th, 2013)

  • VLAN support was improved.
  • IP Defrag options were added.
  • Options were added for enabling and disabling protocol parsers.
  • Protocol detection was improved.
  • IPv6 improvements were made.
  • HTTP inspection was improved.
  • Profiling options were expanded.
  • Many more changes were made.

New in version 1.4.7 (December 17th, 2013)

  • Fixes:
  • Bug #996: tag keyword: tagging sessions per time is broken
  • Bug #1000: delayed detect inits thresholds before de_ctx
  • Bug #1001: ip_rep loading problem with multiple values for a single ip
  • Bug #1022: StreamTcpPseudoPacketSetupHeader : port swap logic isn’t consistent
  • Bug #1047: detect-engine.profile – custom value parsing broken
  • Bug #1063: rule ordering with multiple vars

New in version 1.4.6 (September 25th, 2013)

  • Bug 958: malformed SSL records leading to crash. Reported by Sebastian Roschke. CVE-2013-5919.
  • Bug 971: AC pattern matcher out of bounds memory read.
  • Bug 965: improve negated content handling. Reported by Will Metcalf.
  • Bug 937: fix IPv6-in-IPv6 decoding.
  • Bug 934: improve address parsing.
  • Bug 969: fix unified2 not logging tagged packets.

New in version 1.4.5 (July 27th, 2013)

  • IPv6 issues were fixed.

New in version 1.4.4 (July 19th, 2013)

  • Bug #834: Unix socket – showing as compiled when it is not desired to do so
  • Bug #841: configure –enable-unix-socket does not err out if libs/pkgs are not present
  • Bug #846: FP on IP frag and sig using udp port 0, thanks to Rmkml
  • Bug #864: fix pass action not working correctly in all cases, thanks Kevin Branch
  • Bug #876: http connect tunnel crash fixed
  • Bug #877: Flowbit check with content doesn’t match consistently, thanks to Francis Trudeau

New in version 1.4.3 (June 21st, 2013)

  • A case of missed detection in bytetest, bytejump, and byteextract was fixed.
  • Tunneled packets can now be dropped properly in IPS mode.
  • The OS X build was fixed.

New in version 1.4.2 (May 30th, 2013)

  • Several accuracy issues were fixed.

New in version 1.4.1 (March 9th, 2013)

  • The GeoIP keyword was added.
  • HTTP host header matching was added.
  • New Unix socket commands were added.
  • Napatech support was improved.
  • IPFW support was improved.
  • HTTP query string normalization was improved.
  • Many issues were fixed.

New in version 1.3.6 (March 8th, 2013)

  • fix decoder event rules not checked in all cases (#671)
  • checksum detection for icmpv6 was fixed (#673)
  • crash in HTTP server body inspection code fixed (#675)
  • fixed a icmpv6 payload bug (#676)
  • IP-only rule ip_proto not matching for some protocols was addressed (#690)
  • fixed malformed yaml crashing suricata (#702)
  • parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#717)
  • crash in tls parser was fixed (#759)
  • fixed UDPv4 packets without checksum being detected as invalid (#762)
  • fixed DCE/SMB parsers getting confused in some fragmented cases (#763)

New in version 1.4 (December 14th, 2012)

  • Interactive Unix Socket mode was added.
  • IP Reputation support was added.
  • A Lua scripting detection keyword was added.
  • IP Defrag engine performance was much improved.
  • Global thresholding was improved.
  • AF_PACKET IPS mode support was added.
  • File log output was improved.
  • HTTP inspection was made more configurable.
  • Live packet capture stats support was added.
  • The stream reassembly engine was improved.
  • TLS cert logging, storing, and fingerprint matching was added.
  • Support for decoding various tunnel protocols was added.
  • Delayed detection engine initialization support was added.

New in version 1.3.5 (December 7th, 2012)

  • This version fixes a major flow engine memory leak, a case in which unified2 could overwrite its own alert files, and the Windows build.

New in version 1.4 RC1 (November 30th, 2012)

  • Interactive Unix Socket mode was added.
  • IP Reputation support was added.
  • Command line options were improved.
  • The rule analyzer was improved.
  • File log output was improved.
  • Endace DAG card live stats support was added.
  • A new HTTP event was added.
  • Many issues were fixed.

New in version 1.4 Beta 3 (November 15th, 2012)

  • Napatech capture card support was improved.
  • Support for the pkt_data keyword was added.
  • HTTP inspection was made more configurable.
  • Live packet capture stats support was added.
  • The stream reassembly engine was improved.
  • Performance enhancements were made.
  • The rule analyzer was improved.
  • Many issues were fixed

New in version 1.3.3 (November 2nd, 2012)

  • This version fixes several accuracy and stability issues, serveral false positives, and a file extraction corruption bug.

New in version 1.4 Beta 2 (October 5th, 2012)

  • A Lua scripting detection keyword was added.
  • Per-server HTTP parsing settings were made much more configurable.
  • IP Defrag engine performance was much improved.
  • Global thresholding was improved.
  • Rule profiling performance was improved.
  • Many other performance enhancements were made.
  • Many issues were fixed.

New in version 1.3.2 (October 4th, 2012)

  • Several accuracy issues were fixed.
  • HTTP multipart parsing bugs were fixed.
  • Several packet acquisition bugs were fixed.
  • A stream engine bug was fixed.

New in version 1.4 Beta 1 (September 7th, 2012)

  • AF_PACKET IPS mode support was added.
  • Custom HTTP logging was added.
  • TLS cert logging, storing, and fingerprint matching was added.
  • Support for decoding various tunnel protocols was added.
  • NFQ fail-open support was added.
  • A rule option for limiting inspection to IPv4 or IPv6 was added.
  • The filesize keyword was added.
  • Delayed detection engine initialization support was added.
  • Various performance improvements were made.

New in version 1.3.1 (August 22nd, 2012)

  • AF_PACKET performance was much improved.
  • Defrag engine performance was improved.
  • HTTP URI double decoding handling was made configurable.
  • The stream engine was made more robust.
  • The Windows build was fixed.
  • Various other issues were fixed.

New in version 1.3 RC1 (June 30th, 2012)

  • This version adds live rule reload support, AF_PACKET bpf support, a rule analyzer, improved file MD5 matching, a keyword to match on User-Agent in HTTP, and general accuracy and stability improvements.

New in version 1.3 Beta 2 (June 9th, 2012)

  • This version adds a rule keyword to match files against large MD5 blacklists, improves performance, supports PF_RING 5.4.x, and fixes various bugs.

New in version 1.3 Beta 1 (April 5th, 2012)

  • TLS handshake decoder and detection keywords were added.
  • Napatech capture card support was added.
  • Md5 calculation for files was added.
  • File log was added.
  • HTTP CONNECT handling was improved.
  • IPv6 issues were fixed.
  • Major scalability improvements were made.

New in version 1.2.1 (January 23rd, 2012)

  • Writing of malformed unified2 log records was fixed.
  • TCP timeout handling was improved.

New in version 1.2 (January 20th, 2012)

  • PCAP live runmodes were fixed.
  • CPU affinity settings for live runmodes were fixed.
  • Windows/Cygwin path handling was improved.

New in version 1.2 RC1 (January 12th, 2012)

  • Auto-detection of interfaces with checksum offloading was added.
  • HTTP and SMTP parser event matching was added.
  • Unixsock output options were added.
  • Performance was improved.
  • IPS mode was improved.
  • File inspection and extraction was improved.

New in version 1.1 RC1 (November 6th, 2011)

  • Extended HTTP request logging was added.
  • AF_PACKET drop stats were added.
  • Flow and stream engine counters were added.
  • SMTP and HTTP parsers were improved.
  • Prelude output was improved.
  • Stability and accuracy were improved.

New in version 1.1 Beta 3 (October 26th, 2011)

  • Support for AF_PACKET, replace keyword, workers runmode, event suppression, and byte_extract was added.
  • Accuracy and performance was greatly improved. Stability and memory hygiene were improved.

New in version 1.0.5 (July 25th, 2011)

  • A stream engine bug was fixed.
  • Various issues found by the Coverity source code analyzers were fixed.

New in version 1.0.4 (June 27th, 2011)

  • LibHTP updated to 0.2.6
  • Large number of (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.
  • Large number of (potential) issues fixed after source code scans with the Clang static analyzer.

New in version 1.1 Beta 1 (December 22nd, 2010)

  • Support for http_raw_header, http_stat_msg, and http_stat_code was added.
  • A new default pattern matcher was added.
  • Reference.config support was added.
  • Performance was much improved.
  • Fast_pattern support was improved.

New in version 1.0.2 (September 3rd, 2010)

  • An SSH module was added.
  • Several TCP evasions were fixed.
  • Language compatibility was improved.
  • HTTP detection accuracy was improved.
  • Inline mode was improved.

New in version 1.0.2 (September 3rd, 2010)

  • An SSH module was added.
  • Several TCP evasions were fixed.
  • Language compatibility was improved.
  • HTTP detection accuracy was improved.
  • Inline mode was improved.

New in version 1.0.1 (July 31st, 2010)

  • Major detection accuracy improvements.
  • ip_proto keyword was fixed for malformed packets.
  • Fix a TCP RST packet evasion issue (http://www.packetstan.com/2010/06/recently ive-been-on-campaign-to-make.html)
  • Stream reassembly improvements.

New in version 1.0.0 (July 2nd, 2010)

  • This version adds support for tag keywords,, support for DCERPC over UDP, duplicate signature detection, and improved CUDA support, URI inspection, stability, and performance.

New in version 0.9.2 (June 24th, 2010)

  • Support was added for DAG cards, reassembled stream scanning, the http_uri keyword, dce keywords, and ratefilter.
  • Support was improved for uricontent, asn1, and threshold.
  • Memory leaks were fixed. Performance was improved.

New in version 0.9.0 (May 26th, 2010)

  • New features:
  • Support for the http_headers keyword was added
  • libhtp was updated to version 0.2.3
  • Privilege dropping using libcap-ng is now supported
  • Proper support for "pass" rules was added
  • Inline mode for Windows was added
  • Improvements:
  • A regression in the detection engine causing false negatives was fixed
  • Many accuracy and stability improvements have been made