I am going to update you about much-anticipated release of Suricata 7, marking a significant milestone in the evolution of this high-performance Network Threat Detection, IDS, IPS, and Network Security Monitoring engine. The development team at the Open Information Security Foundation (OISF) and the vibrant community have worked tirelessly to bring forth a host of new features, performance improvements, and security enhancements.
Main Features
| Feature/Aspect | Suricata 6 | Suricata 7 |
|---|---|---|
| Packet Processing | DPDK IDS/IPS 50 support | DPDK IDS/IPS 60 support for primary mode |
| HTTP/HTTP2 Inspection | Basic header inspection | New keywords added for header inspection |
| TLS Enhancements | – | Client certificate logging and detection |
| Bittorrent Support | Not available | Bittorrent parser added by Aaron Bungay |
| IPS Default Behavior | Exception policies default to “Pass” | Exception policies default to “Drop” |
| EVE Logging | – | Documented and validated with a JSON schema |
| Performance Improvements | – | Various performance-related counters, stream buffer optimization |
| Security Enhancements | – | Linux Landlock support, setrlimit usage to prevent process creation |
| Network Protocols | Limited protocol support | QUICv1, GQUIC, PostgreSQL, HTTP/2 improvements |
| Rules and Keywords | Basic rule keywords | New rule keywords for DHCP, Kerberos, SNMP, TLS, QUIC |
| Output and Logging | Limited conditional packet capture | Conditional packet capture, new “stream” EVE output type |
| Dev Corner Updates | Not specified | Total code changes, stricter C compiler flags, Rust parser upgrades |
| Upgrade Notes | – | Pcre2 integration, minimum supported Rust version update, library changes |
1. Enhanced Packet Processing with DPDK IDS/IPS Support
- Suricata 7 introduces DPDK IDS/IPS 60 support for primary mode, enhancing packet processing capabilities and ensuring optimal performance.
2. Advanced AF_XDP IDS Support
- Richard McConnell at Rapid7 contributes AF_XDP IDS 30 support, further expanding the engine’s capabilities for efficient and high-speed packet processing.
3. Extended HTTP/HTTP2 Inspection
- New keywords for header inspection in HTTP/HTTP2 protocols provide enhanced visibility and control over web traffic.
4. TLS Improvements
- Suricata 7 brings client certificate logging and detection in TLS, bolstering security measures for encrypted communications.
5. Bittorrent Parser
- Aaron Bungay contributes a Bittorrent parser, adding support for this popular peer-to-peer file-sharing protocol.
6. Improved IPS Default DROP Behavior
- Exception policies now default to DROP behavior, enhancing the default security stance for intrusion prevention.
7. EVE Documentation and Validation
- Event (EVE) logging is documented and validated with a JSON schema, ensuring comprehensive and standardized event reporting.
8. Performance Improvements Across the Board
- Suricata 7 boasts numerous performance improvements, including optimizations in file data processing, SMB, hash calculation, and flow management.
9. Stream Buffer Efficiency
- The stream buffer, utilized by the stream engine, file tracking, and more, is now more memory-efficient, contributing to overall system optimization.
Secure Deployment and Security Enhancements
1. Linux Landlock Support
- Eric Leblond introduces Linux Landlock support, enhancing the security posture of Suricata deployments.
2. Secure Settings by Default
- Suricata 7 defaults to secure settings for Datasets and Lua, ensuring a robust and secure configuration out of the box.
3. Network Service Header
- The addition of Network Service Header enhances network service identification, contributing to a more secure network environment.
Protocol and Rules Updates
1. Expanded Protocol Support
- Suricata 7 adds support for QUICv1, GQUIC, PostgreSQL, VN-Tag, and IKEv1, among others, expanding the range of supported protocols.
2. Rule Keywords and Rule Set Updates
- New rule keywords for DHCP, Kerberos, SNMP, TLS, QUIC, and experimental class of keywords through “frames API” have been introduced.
3. IPS Exception Policies
- Exception policies have been added to provide better control over packet handling, especially in conditions like hitting memory caps.
Output and Dev Corner
1. Flexible Packet Capture
- Conditional packet capture allows packets to be written to disk only after an alert has been triggered, providing flexibility in capturing relevant data.
2. Enhanced Logging and Debugging
- The new “stream” EVE output type facilitates debugging of the stream engine, and log engine verdicts on rejected/dropped/passed packets for improved visibility.
3. Development Corner Updates
- Suricata 7 includes total code changes, stricter C compiler flags, expanded CI, upgraded Rust parsers, and more, demonstrating a commitment to continuous improvement.
Upgrade Notes
1. Pcre2 Integration
- Suricata 7.0 now uses pcre2 instead of pcre1 for regular expression matching.
2. Minimum Supported Rust Version
- The MSRV (minimum supported Rust version) has been updated to 1.63.0 from 1.41.1 minimum in Suricata 6.0.
3. Library Updates
- Support for Prelude (libprelude) has been removed, and Suricata 7.0 requires and bundles libhtp 0.5.45.
For more detailed information on upgrading from Suricata 6 to 7, refer to the official documentation [here](https://github.com/OISF/suricata/blob/master/Upgrading from 6 to 7).
In conclusion, Suricata 7 represents a substantial step forward in network security, with its comprehensive feature set, improved performance, and heightened security measures. The development team and the community continue to demonstrate their dedication to providing a robust and cutting-edge open-source security solution.
To experience the power of Suricata 7 firsthand, download the latest release here.
Leave a Reply