Eclectic Security

Since the release of Smooth-Sec this is the first time that we are upgrading  suricata . This release brings a lot of new features, improvements and a few fixes. If you want to know more about  the new IPS features in Suricata  1.1 beta 2 please refer to Eric Leblond blog post. Thanks to Victor Julien for all the efforts in the new release.

Please follow this simple steps to upgrade to the new suricata.

#stop suricata
/etc/init.d/suricata stop
#make a backup of the old suricata
cp -a  /etc/suricata/ /etc/suricata.1.1beta1
cd /root/
#get the new suricata and install it
git clone git://gitorious.org/smooth-sec/suricata-1-1beta2.git
cd suricata-1-1beta2/
cp suricata.yaml /etc/suricata
dpkg -i suricata_1.1beta2-1_i386.deb

run #suricata -V to check if the new version is installed, you must get this
output. This is Suricata version 1.1beta2 (rev )

/etc/init.d/suricata start

Below, you can find a brief summary of the new suricata functionalities.

New features

- New keyword support: http_raw_uri (including /I for pcre), ssl_state, ssl_version (#258, #259, #260, #262).
- Inline mode for the stream engine (#230, #248).
- New keyword support: nfq_set_mark
- Included an example decoder-events.rules file
- api for adding and selecting runmodes was added
- pcap logging / recording output was added
- basic SCTP protocol parsing was added
- more fine grained CPU affinity setting support was added

Improvements

- stream engine inspects stream in larger chunks
- fast_pattern support for http_method content modifier (#255)
- negation support for isdataat keyword (#257)
- configurable interval for stats.log updates (#247)
- new pf_ring runmode was added that scales better
- pcap live mode now handles the monitor interface going up and down
- several QA additions to “make check”
- NFQ (linux inline) mode was improved

Fixes

- Alerts classification fix (#275)
- compiles and runs on big-endian systems (#63)
- unified2 output works around barnyard2 issues with DLT_RAW + IPv6