Tuesday, April 20, 2010

New suricata release 0.8.2

New suricata release! Have a look at the new features and changelog!

The OISF development team is proud to introduce the 3rd beta release of
Suricata, the Open Source Intrusion Detection and Prevention engine. The
first release candidate is currently scheduled for early May, but check
https://redmine.openinfosecfoundation.org/projects/roadmap/suricata for
the up to date schedule!

Get the new release here:
http://www.openinfosecfoundation.org/download/suricata-0.8.2.tar.gz

New features

- Support for the following keywords: detection_filter, http_client_body
- The HTTP parser can now set server personalities
- threshold.config support
- The experimental CUDA code now also works on x86_64
- IP address only rules for IPv6 are now supported as well
- Suricata can now write a pid file (pass --pidfile )
- A fuzzer script was added to the code base
- Policy lookup for defrag module

Improvements

- Much better average and worstcase performance in the detection engine
- Memory footprint was reduced
- More validation at signature loading stage
- Libnet 1.1 is now optional
- Negated uricontent and http_cookie matching is now supported
- Lots of fixes of issues found by Valgrind's DRD, CLANG and Parfait.
- Threads are named now in "top" (Linux only atm).
- Unified1 file handling is improved

Bugs fixed

Many :)
Several segmentation faults, upgrading is highly recommended.

See
https://redmine.openinfosecfoundation.org/projects/suricata/issues?fixed_version_id=6&set_filter=1&status_id=c

Known issues & missing features

We have made significant progress towards reaching our first full
(non-beta) release of Suricata. Your feedback is always important to us
and we appreciate your time and effort. As always, we are doing our
best to make you aware of continuing development and items within the
engine that are not yet complete. With this in mind, please notice the
list we have included of known items we are working on.

- Using the http_cookie keyword seems to cause a match on all packets.
- Currently we dont' support the dce option for byte_test and byte_jump.
- Stream reassembly is currently only performed for app-layer code.
- Inconsistent time stamps in http log file due to handling & updating
of the http state.
- DCE/RPC over udp is not currently supported.
- dce_stub_data does not respect relative modifiers.
- Engine does not work properly on big endian platforms.
- Time based stats are not calculated correctly.

See https://redmine.openinfosecfoundation.org/projects/suricata/issues
for an up to date list and to report new issues.