Upgrading Suricata 1.0 to Suricata 1.1¶
A lot has been changed and improved between Suricata 1.0 and 1.1.
A new default pattern matcher algorithm was added: "ac", an Aho-Corasick implementation. To enable it, change your mpm-algo setting in your suricata.yaml:
The unified1 output has been replaced with the superior unified2 output. It requires Barnyard2 to be used instead of Barnyard 0.2.0.
If you're using Suricata as an IPS, after upgrade you may want to enable the inline mode for the stream engine in your suricata.yaml:
stream: memcap: 33554432 # 32mb checksum_validation: yes # reject wrong csums inline: yes # stream inline mode
This will improve Suricata's ability to drop more advanced attacks as they are going on.
PF_RING acquisition module¶
PF_RING acquisition module has evolved but backward compatibility is supported. Although, it is recommended to switch to the new configuration format.
Previous configuration format was only able to deal with one interface:
pfring: - interface: eth1 - threads: 4
With the new configuration format below, multiple network interfaces are now supported and each configuration variable is specific to a given interface:
pfring: - interface: eth4 threads: 8 cluster-id: 99 cluster-type: cluster_flow - interface: eth1 threads: 2 cluster-id: 98 cluster-type: cluster_round_robin