After two and a half years of development, OISF (Open Information Security Foundation) has published the release of Suricata 7.0, a detection and prevention system for network invasions. Suricata 7.0 provides means of inspecting various types of traffic and offers compatibility with the signature base developed by the SNORT project, as well as sets of rules from emerging Threats and emerging to arrats pro. The initial texts of the project are distributed under the license gplv2.
The main changes in Suricata 7.0:
- Support for the DPDK framework has been added to increase the performance of the detection and prevention components (IDS and IPS) by allowing direct operation with network equipment and bypassing the network stack of the kernel for processing network packages.
- The AF_XDP mechanism has been implemented to accelerate the detection components (IDS) by launching BPF programs at the network driver level. This mechanism provides direct access to DMA-Buffer of packages and allows capturing packages, redirecting them to the processor in user space without going through the network stack of the kernel.
- New keywords have been added to inspect the headers of the HTTP and HTTP2 protocols.
- The system now has the capability to detect and preserve customer TLS certificates in the log.
- A parser for the BitTorrent protocol has been added.
- The invasion prevention system (IPS) now applies a DROP operation by default for rules with exceptions, as documented here.
- The JSON scheme subsystem EVE logs have been documented and verified, ensuring the output of events in the
/Reports, release notes, official announcements.