Software update: Suricata 3.2

Version 3.2 of Suricata has been released. Suricata is an open source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring engine. It can be used to monitor network traffic and alert a system administrator if anything suspicious is detected. Development is overseen by the Open Information Security Foundation, with support from the community and various manufacturers. The with it on json based logging system Eve collected data can be done with, among other things, log stash are used to display information graphically again at to give. The following improvements have been made in this release:

Suricata 3.2 available!

Suricata 3.2 comes with some new features that can help a Meerkat to stay awake when on a guard watch. The support of industrial networks has been greatly improved with the addition of two new protocols, DNP3 and CIP/ENIP. But we can’t forget the improvements on the TLS side with new fields available for matching and logging such as certificate validity dates. On file matching and logging, it is now possible to use SHA1/SHA256 in addition to the obsolete MD5.

On the performance side, Suricata 3.2 run as fast as a Cheetah with the addition of the bypass mechanism that can help to fix the challenging Elephant flows. Another big improvement comes from the pre-filter system that allows packet inspecting keywords to be much faster.

Documentation has received a huge overhaul, with PDF and other formats now available.

On usability side, one can note that incompatible NIC offloading is now switched off by default. Also, the unix command socket is now enabled by default.

big changes

• bypass
• pre-filter — fast packet keywords
• TLS improvements
• SCADA/ICS protocol additions: DNP3 CIP/ENIP
• SHA1/SHA256 for file matching, logging & extraction
• Sphinx documentation

Visible smaller changes

• NIC offloading disabled by default
• unix command socket enabled by default
• App Layer stats

Under the hood

• threading simplification (log api + no more thread restarts)
• flow manager optimization
• simplify adding keywords
• luajit improvements wrt memory handling in large deployments

Logstash Kibana fed with information from Suricata with json output.