Upgrading Suricata 1.1 to Suricata 1.2¶

A lot has been changed and improved between Suricata 1.1 and 1.2.

Building from source¶

Because of the new "filemagic" keyword, Suricata now needs libmagic. During the build process "magic.h" is required. It's usually easy to install through your distro.

For Debian/Ubuntu:

apt-get install libmagic-dev

For Fedora/CentOS:

yum install file-devel

Unified2 size limits in suricata.yaml ¶

In 1.2 the size limits in the suricata.yaml are using a new and unified format. 1mb is 1 megabyte, 1kb is one kilobyte, just a number like 128 means 128 bytes.

This has an influence on the unified2 module.

In 1.1 it would like this:

  # alert output for use with Barnyard2
  - unified2-alert:
      enabled: yes
      filename: unified2.alert

      # Limit in MB.
      limit: 32

In the new 1.2 logic, this would imply a 32 byte file size limit so Suricata tries to autodetect what you mean. If it did, it will tell you:

unified2-alert "limit" value of 32 assumed to be pre-1.2 style: setting limit to 32mb

It's recommended to review your suricata.yaml and update it to:

  # alert output for use with Barnyard2
  - unified2-alert:
      enabled: yes
      filename: unified2.alert

      # File size limit.  Can be specified in kb, mb, gb.  Just a number
      # is parsed as bytes.
      limit: 32mb

Files (0)

Project

General

Profile

Suricata

Wiki

Upgrading Suricata 1.1 to Suricata 1.2¶

Building from source¶

Unified2 size limits in suricata.yaml ¶

Project

General

Profile

Suricata

Wiki

Upgrading Suricata 1.1 to Suricata 1.2¶

Building from source¶

Unified2 size limits in suricata.yaml¶

Unified2 size limits in suricata.yaml ¶