Upgrading Suricata 3.0 to Suricata 3.0.1¶
New options / features¶
mpm-algo can now be set to 'hs'. Hyperscan support will have be compiled in first. See Hyperscan
For each type of 'decoder event' there is now a counter in the stats.log. #1740.
decoder.ipv4.trunc_pkt | Total | 25845532 decoder.icmpv4.ipv4_trunc_pkt | Total | 3 decoder.tcp.invalid_optlen | Total | 1 decoder.tcp.opt_invalid_len | Total | 5
On side effect of this is that the stats.log can be much bigger.
It's worthwhile to consider disabling the 'null-values' option:
# Stats.log contains data from various counters of the suricata engine. - stats: enabled: yes filename: stats.log totals: yes # stats for all threads merged together threads: no # per thread stats null-values: no
This will only print those counters with a non-zero value.
Changed / fixed behaviour¶
Before 3.0.1, the YAML values for SMTP inspection were not used. Instead built-in defaults were used. #1646
The settings are used now and better defaults have been chosen:
app-layer: protocols: smtp: inspected-tracker: content-limit: 100000 content-inspect-min-size: 32768 content-inspect-window: 4096
PCRE on Debian¶
Debian ships a pretty old PCRE version (8.35), that has (or had) a buggy JIT implementation. We now disable JIT if 8.35 is detected. #1693