Suricata 8.0.0 released

Announcements
, ,
1

We are happy to announce the release of Suricata 8!

After one beta version and one release candidate, this is the first stable release of Suricata 8, and comes after two years of major Suricata 7.

This release is a testimony as to how the Suricata team has grown in consistency and stability as a team in the 15+ years of work: with the introduction of a Roadmap that is easier for the community to follow, and in keeping up with and honoring the planned dates.

We know that Suricata major releases also take a lot of joint effort of our community, and we appreciate all your work in improving and making Suricata better. Thanks as well to all who tested and shared results and feedback with us!

Download: https://www.openinfosecfoundation.org/download/suricata-8.0.0.tar.gz
Signature: https://www.openinfosecfoundation.org/download/suricata-8.0.0.tar.gz.sig

All tickets for Suricata 8.0.0: 8.0.0 - Suricata - Open Information Security Foundation
Check the Suricata 8.0.0 Roadmap: https://roadmap.suricata.io/

Main features

This major release contains many groundbreaking new features in all aspects of Suricata usage, including deployment, integrations, performance and detection. Read more to discover some important highlights.

Performance Improvements

Suricata 8.0 brings significant performance enhancements across multiple areas of the engine, from detection to rule loading and initialization.

The general detection engine performance was improved through, e.g., branch prediction or hash function optimization. PCAP reading mode can now process files faster thanks to larger read buffers and reduced thread synchronization overhead.

Suricata initialization has been significantly improved, thanks to enhanced port grouping, MPM caching, and optimizations in the IP insertion algorithm.

Secure Deployment / Security

  • More protocol conversions to Rust including:
    • LibHTP
    • FTP
    • ENIP
    • MIME parsing

Protocols

  • ARP: decoder and logger
  • DNS over HTTPS (DoH)
  • LDAP support
  • Multicast DNS (mDNS)
  • POP3: decoder and logger
  • SDP: parse traffic over SIP
  • SIP: parse traffic over TCP
  • Websocket support

Rules & Detection Improvements

Detection capabilities have been extended both in new classes of detection as well as by exposing new buffers and adding new keywords:

  • Transactional rules: express both directions in a transaction in a single rule
  • “Txbits”: per transaction “bits” support through xbits with scope tx
  • Matching on the absence of buffers using the absent keyword
  • Many individual keywords and buffers as part of our log/detect parity effort:
    • LDAP
    • MIME/ EMAIL
    • vlan.id
    • DNS
    • SMTP
    • FTP
    • TLS
  • New keywords:
    • tcp.wscale
    • pgsql.query
    • mDNS
  • Data JSON for data sets: enrich alerts using metadata in datasets
  • New transforms and keywords: from_base64, entropy, luaxform
  • requires: rules can check for keywords or features
  • Integer keywords: accept hexadecimal notation, negated ranges, enumerations, bitmask

IPS: Suricata as a Firewall (experimental)

For intrusion prevention, Suricata now has Firewall features.

Suricata’s new firewall mode brings firewall capabilities to Suricata. The firewall mode is considered experimental and may be subject to changes during the 8.0 lifecycle.

At the most basic level, it is a more formalized dialect of the Suricata rule language, with a deterministic packet pipeline. Like with other firewalls, it uses a default drop policy. The ruleset is used to define what is allowed to pass.

“Rule hooks” introduced, to offer more precise control over from where in a protocol state a rule will be evaluated.

Lua

Lua support has been overhauled with the primary goals of:

  • Make Lua available everywhere: Lua 5.4 has been “vendored” into the Suricata code base, making it always available by default. This means all users of a Suricata version will be using the same Lua, allowing rule publishers to use Lua with confidence.
  • Run Lua in a sandboxed environment, so users can allow Lua rules with confidence they won’t perform activities such as writing to files or opening sockets or other system-level access allowed by an unrestricted Lua runtime.

These are breaking changes that may affect your usage of Lua. The most notable breaking are:

  • No ability to load third-party modules in Lua rules
  • No access to the “os” Lua library for access to system resources such as the file system
  • Moving global Lua functions that access Suricata features to Lua libraries, examples can be seen in the 8.0 documentation: 18.3. Lua Libraries — Suricata 8.0.0 documentation

Also, while not a breaking change, Lua rules are now enabled by default, whereas in Suricata 7.0 they needed to be enabled in the configuration file, due to the issues resolved by the sandbox environment.

Library and Plugins

For 8.0.0, Suricata as a library has one focused goal of making it easy for library users to bring their own packets and threads. This is probably best shown through an example, which can be found in the Suricata source code, or viewed online here: suricata/examples/lib/custom/main.c at master · OISF/suricata · GitHub.

We have also documented the API for hooking into Suricata logging at a low level (for example, where our EVE hooks in). This could be useful for library users, as well as plugin users who want a completely custom output. This API has been documented at 29.4.5. Output — Suricata 8.0.0 documentation.

New application protocols parsers, loggers, and detections (keywords) can also now be dynamically registered at runtime. This allows for application layer plugins or easier registration of custom application layers for library users.

Output

  • TLS (log extensions), entropy (triggered by keyword), and more.
  • Flows that trigger exception policies will log the triggered exception and applied policy
  • Improvements to Stats logs:
    • Exception policies counters
    • More stats for memuse/ memcap handling: ippair, host, http-byterange
    • Stats for written and bpf-filtered-out packets for pcap-log
    • Stats for stream reassembly drops, skipped rules
    • Removal of unused counters, ability to disable zero-valued counters from EVE stats
  • More EVE schema descriptions (e.g. for several stats counters)

Code Quality / Rustification:

  • LibHTP has been moved to Rust - this was a major contribution, possible only from the joint efforts of Todd Mortimer from the Canadian Centre for Cyber Security and Philippe Antoine from the Suricata team
  • Rust conversions: FTP, MIME, ENIP, suricatasc, byte_extract, base64 decoder
  • SIP (sticky buffers), RFB (keywords and app-layer registration), MQTT (parser registration)

Dev Corner

  • Total: 2090 files changed, 160167 insertions(+), 112455 deletions(-)
  • Rust: 470 files changed, 62110 insertions(+), 9244 deletions(-)
  • C: 1294 files changed, 70313 insertions(+), 98235 deletions(-)
  • Docs: 158 files changed, 14237 insertions(+), 2862 deletions(-)
  • CI/QA optimization: less build checks for doc-only patches

Upgrade Notes

The MSRV (minimum supported Rust version) has been updated to 1.75.0 from 1.63.0 minimum in Suricata 7.0.

Suricata no longer depends on the LibHTP C library, it is now provided as a Rust crate.

Please review all the upgrade notes from 7.0 to 8.0 here:

If you are upgrading and you are a PF_RING user, you will need to update your configuration to load the PF_RING plugin: PF_RING as a Plugin — Suricata 8.0.0 documentation

Special Thanks

The Outreachy initiative, OSS-Fuzz, Coverity.

Outreachy interns: Alice Akaki, Daniel Olatunji, Hadiqa Alamdar Bukhari.

Community: Adam Kiripolsky, Alex Savage, Alexandre Iooss, Alexey Simakov, Alfredo Cardigliano, AlirezaPourchali, Angelo Mirabella, Arne Welzel, Binghui Niu, Boris Tonofa, Bruno Franca, Bryan Benson, Cole Dishington, Comfort Amaechi, daniel zhao, Dean Balandin, Eloy Pérez González, Eric Leblond, Fupeng Zhao, Giuseppe Longo, Gleb Smirnoff, Ilya Bakhtin, James, jason taylor, Jo Johnson, Joseph Reilly, Joyce Yu, Kirjan Kohuladas, Liam Wilson, Liza Opar, Mahmoud Maatuq, Nancy Enos, Nathan Scrivens, Noah Liu, Pierre Chifflier, Ralph Eastwood, Richard McConnell, Sascha Steinbiss, Simon Dugas, Stephen Donnelly, Thomas Winter, Todd Mortimer, Travis Green, Vincent Li, Yatin Kanetkar, Zemeteri Kamimizu.

Meet The Community at SuriCon!

This year’s Suricata Community Conference will happen in Montreal, Canada, from November 19 to 21. You can get your tickets now.

Our conference is a great place to present exciting work or research done with Suricata.
Come share yours with us! The Call for Talks has been extended, but closes this weekCall for Talks – SURICON

Sponsors are welcome! Check conference details, sponsorship opportunities, and more at https://suricon.net/

About Suricata

Suricata is a high-performance Network Threat Detection, IDS, IPS, and Network Security Monitoring engine. Open-source and owned by a community-run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors, and the community.

Newsletter

Stay up-to-date with the latest around Suricata releases, community finds, events, and SuriCon with the Suricata quarterly newsletter: https://newsletter.suricata.io/

9 Likes
3

Great blog by Eric Leblond on the “Data JSON for data sets” described above.

2 Likes
4

Great work by OISF team with more than 100 keywords added. Just that part is a huge work and then there is all the rest !

2 Likes
5

I am running 7.0. If I update from 7.0 to 8.0 as per the upgrade instructions, do i have to set the config file (suricata.yaml) from the scratch.

6

You should be able to use your previous suricata.yaml

Please tell us if you encounter a bug :wink:

1 Like