Suricata logo (75 pix)Version 5.0 of Suricata has recently been released. Suricata is an open source network intrusion detection system (IDS), intrusion prevention system (IPS) and network security monitoring engine . It can be used to monitor network traffic and to alert a system administrator if anything suspicious is detected. The Open Information Security Foundation coordinates the development with the help of the community and various manufacturers. The data collected with the json- based logging system Eve can be used with Logstash , among other things , to display information graphically. The most important changes that have been made in version 5.0 are listed below for you.

RDP, SNMP, FTP and SIP
Three new protocol parsers and loggers, all community contributions. Zach Kelly created a Rust RDP parser, while Giuseppe Longo created SIP support. Rest master Pierre Chifflier contributed SNMP support. Since RDP and SIP were merged late in our development cycle, they are disabled by default in the configuration. For FTP we have added an EVE logging facility.

JA3S
After contributing JA3 support in Suricata 4.1, Mats Klepsland has been working on JA3S support. JA3S is now available for the rule language and in the TLS logging output.

Datasets
Still experimental at this time, the initial work to support datasets is part of this release. It allows matching on large amounts of data. It is controlled from the rule language and will work with any ‘sticky buffer’.
See documentation at https://suricata.readthedocs.io/en/suricata-5.0.0/rules/datasets.html
We’ve already heard of people using this with millions of IOCs.

Documentation
With the help of many community members we’ve been improving the user documentation. Please see: https://suricata.readthedocs.io/en/suricata-5.0.0/

HTTP evader
We’ve been working hard to cover the final set of HTTP evader cases. This work has mostly gone into the bundled libhtp 0.5.31.

Peace
The most visible is that our Rust support is no longer optional. We’re convinced that Rest is a perfect match for Suricata, and we plan to increase its footprint in our code base steadily. By making it mandatory we are able to remove parallel implementations and focus fully on making the Rust code better.

Protocol Detection
The protocol detection engine has been extended to provide better accuracy as well as support for dealing with asynchronous flows. These async flows are sometimes picked up in the wrong direction and the protocol detection engine can now reverse them.

Decoder Anomaly records in EVE
A new log record type has been added: ‘anomaly’. This logs the stream and decoder events that are set by the packet decoders. This is inspired by Zeeks (Bro) ‘weird’ log.

EVE improvements
VLAN and capture interface is now part of many more EVE records, even if they are flow records or records based on flow time out.

An option to log all HTTP headers to the EVE http records has been added.

Packet Capture
Eric Leblond has been working hard to get hardware offload support working for eBPF. On Netronome cards the eBPF based flow bypass can now be offloaded to the NIC. As eBPF is becoming a standard in the Linux space, we are hoping to see other hardware soon as well.
Netmap support has been rewritten so the more advanced features or netmap, such as vale switches, can be used now.
Napatech usability has been improved.

Rule language: Sticky Buffers
As discussed at the Suricon 2018 brainstorming session, a new rule keyword scheme is being introduced. It takes the existing ‘sticky buffer’ approach with new keyword names to avoid confusion. The new scheme is . , so for example ‘http.uri’ for the URI inspection.
A number of HTTP keywords have been added.
Unified Lua inspection mixed with the sticky buffers has also been implemented.

Python 3
With Python 2’s EOL approach, we’ve made sure that all of Suricata’s python code is Python 3 compliant.

Removals
Following our deprecation policy, we have removed the following parts: the plain text dns.log, the old files-json.log and support for the Tilera architecture.
Deprecation Policy

All tickets
Beta 1 tickets: https://redmine.openinfosecfoundation.org/versions/115
RC 1 tickets: https://redmine.openinfosecfoundation.org/versions/128
Final tickets: https://redmine.openinfosecfoundation.org/versions/129

Logstash Kibana fed with information from Suricata with json output.

Version number 5.0.0
Release Status Final
Operating systems Linux
Website
Suricata
Download
https://www.openinfosecfoundation.org/download/suricata-4.5.0.tar.gz
License type Conditions (GNU / BSD / etc.)