Upgrading Suricata 1.4 to Suricata 2.0¶

Suricata 1.4 to 2.0 is a major upgrade, so there are a number of changes to the configuration file.

Stream engine¶

The max-sessions variable has been removed. It controlled the max amount of concurrent TCP sessions. It was redundant as TCP sessions are connected to flows and thus controlled by the flow memcap. Additionally, TCP sessions are also limited by stream.memcap.

HTTP Inspection¶

Since 2.0beta2, the "proxy" part of the HTTP URI is no longer part of the buffer inspected by http_uri.

    In a request line like:
      GET http://suricata-ids.org/blah/ HTTP/1.1
    the normalized URI will now be:
      /blah/

    This doesn't affect http_raw_uri. So matching the hostname, etc is still
    possible through this keyword.

    Additionally, a new per HTTP 'personality' option was added to change
    this behavior: "uri-include-all":

      uri-include-all: <true|false>
        Include all parts of the URI. By default the
        'scheme', username/password, hostname and port
        are excluded. Setting this option to true adds
        all of them to the normalized uri as inspected
        by http_uri, urilen, pcre with /U and the other
        keywords that inspect the normalized uri.
        Note that this does not affect http_raw_uri.

    So adding uri-include-all:true to all personalities in the yaml will
    restore the old default behavior.