Upgrading Suricata 3.0 to Suricata 3.1¶
The detection engine has a new YAML section called 'detect', replacing the old 'detect-engine':
detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes # the grouping values above control how many groups are created per # direction. Port whitelisting forces that port to get it's own group. # Very common ports will benefit, as well as ports with many expensive # rules. grouping: #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 #udp-whitelist: 53, 135, 5060 profiling: # Log the rules that made it past the prefilter stage, per packet # default is off. The threshold setting determines how many rules # must have made it past pre-filter for that rule to trigger the # logging. #inspect-logging-threshold: 200 grouping: dump-to-disk: false include-rules: false # very verbose include-mpm-stats: false
The settings are no longer in a list, which was a mistake in the previous logic.
The old config should continue to work.
The old config looked like:
detect-engine: - profile: medium - custom-values: toclient-src-groups: 2 toclient-dst-groups: 2 toclient-sp-groups: 2 toclient-dp-groups: 3 toserver-src-groups: 2 toserver-dst-groups: 4 toserver-sp-groups: 2 toserver-dp-groups: 25 - sgh-mpm-context: auto - inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #- delayed-detect: yes
From detect-engine, profile, sgh-mpm-context, inspection-recursion-limit and delayed-detect directly map to their 'detect' equivalent.
The custom values have changed, as not all of them are relevant anymore. Only toserver-dp-groups and toclient-dp-groups are used to set toserver-groups and toclient-groups respectively. NOTE this is broken in 3.1RC1, see #1804