Upgrading Suricata 2.0 to Suricata 3.0¶
Changed defaults¶
unified2¶
The Unified2 output is now disabled by default in the default config. If you need it, enable by setting "enabled" to "yes":
outputs:
...
# alert output for use with Barnyard2
- unified2-alert:
enabled: yes
filename: unified2.alert
...
Installation changes¶
PF_RING¶
If you run into the following error:
/usr/local/pfring/lib/libpfring.so: undefined reference to `clock_gettime'
You have an old glibc version (before 2.17) and you need to extend ./configure like this:
LIBS="-lrt" ./configure ...
Changes in Configuration¶
stats¶
In 2.x and prior the stats logging in the yaml would look like:
outputs:
# Stats.log contains data from various counters of the suricata engine.
# The interval field (in seconds) tells after how long output will be written
# on the log file.
- stats:
enabled: yes
filename: stats.log
interval: 8
This will still work in 3.0.
However, if you want to enable the JSON stats or use Lua scripts with the stats, you will need the new settings:
# global stats configuration stats: enabled: yes # The interval field (in seconds) controls at what interval # the loggers are invoked. interval: 8
This sits in the root of the yaml file.
Then to enable JSON stats in EVE:
outputs:
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
types:
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
Removed Fuctionality¶
unix socket 'dump-counters'¶
During the overhaul of the stats/counters subsystem, the unix socket 'dump counters' feature was removed (#1695). To get JSON stats over unix socket, configure 'eve' as follows.
- eve-log:
enabled: yes
filetype: unix_stream
filename: /tmp/eve-stats.sock
types:
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
Note that you can have multiple 'eve-log' outputs in your outputs list.
This configuration will tell Suricata to connect to an existing socket.
As an example, to get the stats, start the following command before you start Suricata:
nc -U /tmp/eve-stats.sock -l
{"timestamp":"2016-02-09T09:25:23.000203+0100","event_type":"stats","stats":{"uptime":8,"decoder":{"pkts":1011520,"bytes":263113456,"invalid":0,"ipv4":1009175,"ipv6":65,"ethernet":1011520,"raw":0,"null":0,"sll":0,"tcp":781882,"udp":66707,"sctp":0,"icmpv4":160088,"icmpv6":0,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":65,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":260,"max_pkt_size":1514,"erspan":0},"flow":{"memcap":0,"spare":9988,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":22,"memuse":7801216},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":95678,"ssn_memcap_drop":0,"pseudo":10262,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":200634,"synack":42724,"rst":191314,"segment_memcap_drop":0,"stream_depth_reached":18,"reassembly_gap":1,"memuse":452752,"reassembly_memuse":12320544},"detect":{"alert":0},"flow_mgr":{"closed_pruned":94046,"new_pruned":2858,"est_pruned":821},"dns":{"memuse":50409,"memcap_state":0,"memcap_global":0},"http":{"memuse":11768146,"memcap":0}}}
Note: it's also possible to start after Suricata has started. Suricata will issue some warning messages, but will (re)connect to the socket once it's available (again).
As a bonus, to pretty things up:
nc -U /tmp/eve-stats.sock -l|jq -c .
Obsolete options¶
detect-engine rule-reload¶
detect-engine: ... - rule-reload: true
The reloading is no longer optional. It's enabled by default and can be triggered by sending a USR2 signal or through the unix socket interface.
Errata / Regressions¶
Some PF_RING users report crashes: #1669
Endace DAG support only works when running as root now (no dropping privs): #1682
Unix-socket no longer supports dump-counters command: #1695