Project

General

Profile

Upgrading from Suricata 2.0beta to Suricata 2.0

During the 2.0 development cycle, a few things were changed around.

DNS config

Early in the 2.0beta cycle we had:

app-layer:
  protocols:
    dnstcp:
       enabled: yes
       detection-ports:
         tcp:
           toserver: 53
    dnsudp:
       enabled: yes
       detection-ports:
         udp:
           toserver: 53

In 2.0rc1 this changed to:

app-layer:
  protocols:
    dns:
      tcp:
        enabled: yes
        detection-ports:
          toserver: 53
      udp:
        enabled: yes
        detection-ports:
          toserver: 53

In 2.0rc1 loading the dns-events.rules would fail with error:

[10054] 13/2/2014 -- 16:58:51 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
[10054] 13/2/2014 -- 16:58:51 - (detect-parse.c:1536) <Error> (SigInitHelper) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature parsing failed: "alert dns any any -> any any (msg:"SURICATA DNS Unsollicited response"; flow:to_client;

The solution is making the above change.

The next release will handle this more graceful.