Upgrading Suricata 3.0 to Suricata 3.0.1¶

New options / features¶

Hyperscan MPM¶

mpm-algo can now be set to 'hs'. Hyperscan support will have be compiled in first. See Hyperscan

decoder stats¶

For each type of 'decoder event' there is now a counter in the stats.log. #1740.

Example:

decoder.ipv4.trunc_pkt                     | Total                     | 25845532
decoder.icmpv4.ipv4_trunc_pkt              | Total                     | 3
decoder.tcp.invalid_optlen                 | Total                     | 1
decoder.tcp.opt_invalid_len                | Total                     | 5

On side effect of this is that the stats.log can be much bigger.

It's worthwhile to consider disabling the 'null-values' option:

  # Stats.log contains data from various counters of the suricata engine.
  - stats:
      enabled: yes
      filename: stats.log
      totals: yes       # stats for all threads merged together
      threads: no       # per thread stats
      null-values: no

This will only print those counters with a non-zero value.

Changed / fixed behaviour¶

SMTP inspection¶

Before 3.0.1, the YAML values for SMTP inspection were not used. Instead built-in defaults were used. #1646

The settings are used now and better defaults have been chosen:

app-layer:
  protocols:
    smtp:
      inspected-tracker:
        content-limit: 100000
        content-inspect-min-size: 32768
        content-inspect-window: 4096

Misc¶

PCRE on Debian¶

Debian ships a pretty old PCRE version (8.35), that has (or had) a buggy JIT implementation. We now disable JIT if 8.35 is detected. #1693