Upgrading Suricata 1.4 to Suricata 2.0¶
Suricata 1.4 to 2.0 is a major upgrade, so there are a number of changes to the configuration file.
The max-sessions variable has been removed. It controlled the max amount of concurrent TCP sessions. It was redundant as TCP sessions are connected to flows and thus controlled by the flow memcap. Additionally, TCP sessions are also limited by stream.memcap.
Since 2.0beta2, the "proxy" part of the HTTP URI is no longer part of the buffer inspected by http_uri.
In a request line like: GET http://suricata-ids.org/blah/ HTTP/1.1 the normalized URI will now be: /blah/ This doesn't affect http_raw_uri. So matching the hostname, etc is still possible through this keyword. Additionally, a new per HTTP 'personality' option was added to change this behavior: "uri-include-all": uri-include-all: <true|false> Include all parts of the URI. By default the 'scheme', username/password, hostname and port are excluded. Setting this option to true adds all of them to the normalized uri as inspected by http_uri, urilen, pcre with /U and the other keywords that inspect the normalized uri. Note that this does not affect http_raw_uri. So adding uri-include-all:true to all personalities in the yaml will restore the old default behavior.
See ticket #1008.