Upgrading Suricata 1.2 to Suricata 1.3¶

A lot has been changed and improved between Suricata 1.2 and 1.3.

suricata.yaml now generated by the build system¶

The file suricata.yaml.in in the source tree is the template used to generate the final suricata.yaml. Paths are set based on the configure script arguments.

"file" module¶

The "file" output module has been renamed to "file-store".

HTTP Host Header ambiguous behaviour changed¶

Previously the app-layer-event:http.host_header_ambiguous; event was set if a HTTP request had both a hostname in the URI and the Host header. From 1.3 this flag is only set if the settings in both fields are different from each other.

The rules/http-events.rules comes with this rule:

alert http any any -> any any (msg:"SURICATA HTTP Host header ambiguous";   \
    flow:established,to_server; app-layer-event:http.host_header_ambiguous; \
    flowint:http.anomaly.count,+,1; classtype:protocol-command-decode;      \
    sid:2221015; rev:1;)

http_header and http_cookie changes¶

The http_header now excludes matching on the "Cookie" header, which will not be part of the inspected buffer. See #461.

In addition, http_cookie now inspect the response header "Set-Cookie" as well. This header is now also excluded from the http_header inspection.