Upgrading Suricata 1.0 to Suricata 1.1¶

A lot has been changed and improved between Suricata 1.0 and 1.1.

Performance¶

A new default pattern matcher algorithm was added: "ac", an Aho-Corasick implementation. To enable it, change your mpm-algo setting in your suricata.yaml:

mpm-algo: ac

Unified output¶

The unified1 output has been replaced with the superior unified2 output. It requires Barnyard2 to be used instead of Barnyard 0.2.0.

Inline mode¶

If you're using Suricata as an IPS, after upgrade you may want to enable the inline mode for the stream engine in your suricata.yaml:

 stream:
  memcap: 33554432              # 32mb
  checksum_validation: yes      # reject wrong csums
  inline: yes                   # stream inline mode

This will improve Suricata's ability to drop more advanced attacks as they are going on.

PF_RING acquisition module¶

PF_RING acquisition module has evolved but backward compatibility is supported. Although, it is recommended to switch to the new configuration format.

Previous configuration format was only able to deal with one interface:

pfring:
  - interface: eth1
  - threads: 4

With the new configuration format below, multiple network interfaces are now supported and each configuration variable is specific to a given interface:

pfring:
  - interface: eth4
    threads: 8
    cluster-id: 99
    cluster-type: cluster_flow
  - interface: eth1
    threads: 2
    cluster-id: 98
    cluster-type: cluster_round_robin