Suricata 8.0.0 beta1 Released

Suricata 8.0.0 beta1 Release Notes

We are pleased to announce our beta version of the Suricata 8.0 release! We want to share the main work we’ll be releasing soon so you can check and test it out, offer feedback, and share your thoughts before the release of Suricata 8.0.0, which is planned for July 8, 2025.

This mostly marks a feature freeze for Suricata 8 for default features and behavior changes. A few more issues should be covered for the stable version, but here are listed the main ones.

Suricata major releases also take a lot of joint effort from our community, and we appreciate all your work in continuing to improve and making Suricata always better. :slight_smile:

Download Suricata: https://www.openinfosecfoundation.org/download/suricata-8.0.0-beta1.tar.gz
Signature: https://www.openinfosecfoundation.org/download/suricata-8.0.0-beta1.tar.gz.sig

All tickets for Suricata 8.0.0-beta1: 8.0.0-beta1 - Suricata - Open Information Security Foundation

Check the Suricata 8.0.0 Roadmap: https://roadmap.suricata.io/

Highlights

Protocols additions

  • Websocket support
  • LDAP support
  • ARP: decoder and logger
  • DNS over HTTPS (DoH)
  • SIP: parse traffic over TCP
  • SDP: parse traffic over SIP
  • POP3: decoder and logger

Detection improvements

Detection capabilities have been extended both in new classes of detection as well as by exposing new buffers and adding new keywords:

  • Transactional rules: express both directions in a transaction in a single rule
  • “Txbits”: per transaction “bits” support through xbits with scope tx
  • Matching on the absence of buffers using the absent keyword
  • Many individual keywords and buffers as part of our log/detect parity effort:
    • LDAP
    • MIME/ EMAIL
    • vlan.id
    • DNS
    • SMTP
    • FTP
    • TLS
  • New transforms and keywords: from_base64, entropy
  • requires: rules can check for keywords or features
  • Integer keywords: accept hexadecimal notation, negated ranges, enumerations, bitmask

Logging improvements

As logging and output changes may have a big impact on deployments due to verbosity, change in terminology, or performance issues, please report back any fixes that seem needed.

Stats & Output

  • Exception policies stats (and more search-friendly stats counters)
  • Flows that trigger exception policies will log the triggered exception and applied policy
  • More stats counters for memuse/ memcap handling: ippair, host, http-byterange
  • Stats for written and bpf-filtered-out packets for pcap-log
  • Stats for stream reassembly drops, skipped rules
  • Removal of unused counters, ability to disable zero-valued counters from EVE stats
  • More stats descriptions (EVE schema)

Firewall Mode (Preview)

Suricata’s new firewall mode is an experimental feature to bring firewall capabilities to Suricata. It’s currently considered to be in an experimental phase, with many moving parts.

At the most basic level, it is a more formalized dialect of the Suricata rule language, with a deterministic packet pipeline. Like with other firewalls, it uses a default drop policy. The ruleset is used to define what is allowed to pass.

Code Quality / Rustifying

  • LibHTP has been moved to Rust - this was a major contribution, possible only from the joint efforts of Todd Mortimer from the Canadian Centre for Cyber Security and Philippe Antoine from the Suricata team
  • Rust conversions: FTP, MIME, ENIP, suricatasc, byte_extract, base64 decoder
  • Rustification: SIP (sticky buffers), RFB (keywords and app-layer registration), MQTT (parser registration)

Lua

Lua support has been overhauled with the primary goals of:

  • Make Lua available everywhere: Lua 5.4 has been “vendored” into the Suricata code base, making it always available by default. This means all users of a Suricata version will be using the same Lua, allowing rule publishers to use Lua with confidence.
  • Run Lua in a sandboxed environment, so users can allow Lua rules with confidence they won’t perform activities such as writing to files or opening sockets or other system-level access allowed by an unrestricted Lua runtime.

These are breaking changes that may affect your usage of Lua. The most notable breaking are:

  • No ability to load third-party modules in Lua rules
  • No access to the “os” Lua library for access to system resources such as the file system
  • Moving global Lua functions that access Suricata features to Lua libraries, examples can be seen in the 8.0 documentation: 18.3. Lua Libraries — Suricata 8.0.0-beta1 documentation

Also, while not a breaking change, Lua rules are now enabled by default, whereas in Suricata 7.0 they needed to be enabled in the configuration file, due to the issues resolved by the sandbox environment.

Known Lua issues in 8.0.0-beta1:

  • Note: The migration from global functions to Lua libraries is not complete for 8.0.0-beta1. This work will be completed by 8.0.0-rc1, and you can expect all documented Lua functions to have an equivalent function accessible via a Lua library.
  • The documentation may not be fully up to date with the changes, this is planned to be completed and reviewed for 8.0.0-rc1.

Library and Plugins

For 8.0.0 Suricata as a library has one focused goal of making it easy for library users to bring their own packets and threads, and this support is included in the 8.0.0-beta1. This is probably best shown through an example, which can be found in the Suricata source code, or viewed online here: suricata/examples/lib/custom/main.c at master · OISF/suricata · GitHub

We have also documented the API for hooking into Suricata logging at a low level (for example, where our EVE hooks in). This could be useful for library users, as well as plugin users who want a completely custom output. This API has been documented at 29.4.5. Output — Suricata 8.0.0-beta1 documentation

New application protocols parsers, loggers, and detections (keywords) can also now be dynamically registered at runtime. This allows for application layer plugins or easier registration of custom application layers for library users.

Upgrade Notes

Please review all the upgrade notes from 7.0 to 8.0 here: 4. Upgrading — Suricata 8.0.0-beta1 documentation

If you are upgrading and you are a PF_RING user, you will need to update your configuration to load the PF_RING plugin: PF_RING as a Plugin — Suricata 8.0.0-beta1 documentation

How you can help

Testing

If your work depends on Suricata as a rule-writer, integrator, output consumer, or any other way, please reserve some time to test the main features that could impact you.

We’re eager to hear feedback from you - especially in time to fix anything needed before the release of Suricata 8.0.0.

Feedback

Feedback on bugs, unexpected behavior changes, broken logs, missing documentation, or more is super welcome.

If you are a library user or a potential library user, please check out the example of library usage. Does it, along with enhancements to dynamic registration of callbacks, meet your needs?

Please share use cases or reports, preferably on Redmine: Issues - Suricata - Open Information Security Foundation

Special thanks

Major contributions to Suricata 8 were made by:

  • Giuseppe Longo
  • Alice Akaki
  • Todd Mortimer
  • Jason Taylor
  • Sascha Steinbiss

Complete list of contributors:

Adam Kiripolsky, Alex Savage, Alexandre Iooss, Alexey Simakov, Alfredo Cardigliano, Alice Akaki, AlirezaPourchali, Andreas Herz, Angelo Mirabella, Arne Welzel, Binghui Niu, Bruno Franca, Bryan Benson, Cole Dishington, Comfort Amaechi, Daniel Olatunji, daniel zhao, Dean Balandin, Eloy Pérez González, Eric Leblond, Giuseppe Longo, Gleb Smirnoff, Hadiqa Alamdar Bukhari, Ilya Bakhtin, jason taylor, Jo Johnson, Joseph Reilly, Joyce Yu, Kirjan Kohuladas, Liam Wilson, Liza Opar, Mahmoud Maatuq, Nancy Enos, Nathan Scrivens, Noah Liu, Pierre Chifflier, Ralph Eastwood, Richard McConnell, Sascha Steinbiss, Simon Dugas, Stephen Donnelly, Thomas Winter, Todd Mortimer, Travis Green, Vincent Li, Yatin Kanetkar, Zemeteri Kamimizu, the Outreachy initiative, OSS-Fuzz, Coverity.

SuriCon

This year’s Suricata Community Conference will happen in Montreal, Canada, from November 19 to 21.

Our conference is a great place to present exciting work or research done with Suricata.
Come share yours with us! The Call for Talks is open: Call for Talks – SURICON

Sponsors are welcome! Check conference details, sponsorship opportunities, and more at https://suricon.net/

About Suricata

Suricata is a high-performance Network Threat Detection, IDS, IPS, and Network Security Monitoring engine. Open-source and owned by a community-run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors, and the community.


Don’t want to miss news about the release? Stay up-to-date with the latest around Suricata releases, community finds, and SuriCon with the Suricata quarterly newsletter: https://newsletter.suricata.io/

5 Likes