Stamus-Networks-Blog

Just Released: Suricata 7

Written by Andreas Herz | Jul 19, 2023 2:32:37 PM

Yesterday (18-July-2023) the OISF announced the general availability of Suricata version 7. It’s been nearly 3 years since the last major Suricata release (see Suricata 6 blog post). Thanks to numerous volunteers and contributors from around the world, Suricata 7 is now ready to use. You can read the Suricata 7 announcement on the Suricata website here.

In this blog post we detail many of the new features and the benefits they bring to Suricata users, as well as how they are being used in the Stamus Security Platform and our turnkey open-source Suricata implementation, SELKS. 

Many Stamus Networks team members contributed to this release, and we are very proud of its significant new capabilities. 

Suricata - a powerful network security engine

Suricata is a high-performance network threat detection, intrusion detection and prevention (IDS / IPS) system, and network security monitoring (NSM) engine that performs deep packet inspection on network traffic to detect threat indicators and generate powerful artifacts that can be used by security teams to protect their organizations. 

It is an open source project owned and managed by the community-run non-profit Open Information Security Foundation (OISF). Developed jointly by members of the OISF, its supporting vendors, and a global community of passionate volunteers, Suricata is one of the most effective network security engines available.

While many still think of Suricata as a signature-based IDS, you can see from the diagram above that it has evolved to become a complete network security engine (my colleague, Peter Manev wrote about this in a blog post last year: https://www.stamus-networks.com/blog/suricata-myths-alerts-and-nsm). 

Suricata 7 represents another significant step in the evolution of Suricata’s capabilities. With new features for end-users, Suricata 7 is even more capable than what was imagined at its humble beginnings. 

Without further delay, let’s take a look at some of the advancements you will see in Suricata 7.

Top Additions

As you will read, there have been numerous additions to Suricata 7 that will benefit both users and developers. Notably, there have been enhancements made in the following four areas: 

  1. 1. Deployment Security 
  2. 2. Protocols and Rules
  3. 3. Forensic Evidence
  4. 4. Performance 
  5.  

Increased Deployment Security 

  • Linux Landlock Support: This feature was presented by Eric Leblond of Stamus Networks at Suricon in 2022. With Landlock, you can sandbox processes to limit access control and interactions with file systems.
  • Supply Chain Attack Protection: Based on findings by Eric Leblond of Stamus Networks, dataset usage was improved and restrictions were added to avoid potential attacks on the system by malicious rules using datasets. Additionally, the settings on the Lua feature for rules (see below) are set to secure by default. 

Protocol and Rule Improvements

Support for new application protocols has been added, and modifications to existing protocol support were made to give better visibility into network traffic. In addition, there have been new keywords and protocols added to the signature language. This will help rule writers more precisely target activity within those protocols.

  • Added Bittorrent Protocol: Added support for parsing Bittorrent DHT application layer protocols to deliver metadata specific to the Bittorrent protocol into the eve logs. This increases visibility into Bittorrent activity on the network to add evidentiary metadata.
  • Added QUICv1 & GQUIC Protocols with keywords : Added support for parsing the QUIC (TCP/2) protocols by creating specific metadata associated with this connection type including calculating the CYU.  Additionally, an alert keyword has been created to use the QUIC protocol information to generate alerts. This increases visibility into the QUICv1 and GQUIC protocol and adds specific QUIC protocol metadata and the capability to use QUIC keywords for generating alerts on the specific QUIC information and calculated CYU.
  • Added PostgreSQL Protocol: There is now added support for parsing PostgreSQL application layer protocol to deliver metadata specific to PostgreSQL into the eve logs.  This includes requests and responses when communicating with a PostgreSQL database. This increases visibility into PostgreSQL activity on the network to add evidentiary metadata, including both queries and responses to executed queries. 
  • Stabilized HTTP/2 Deflate Decompression and Byte-Ranges: The HTTP2 support is now marked as stable and was extended further to support deflate compression and byte ranges. There are also New HTTP/HTTP2 Keywords for Header Inspection
  • ESP Flow Tracking and Logging: The ability to detect ESP (Encap Security Payload for IPv6) was added to the ip_proto key word.
  • IKEv1 Addition: The previous parser only included IKEv2, so IKEv1 was added and refactored with Suricata 7 to ensure that the IKE parser now supports both protocol versions. 

Others

  • “XOR” Transform: Users can now take a buffer and apply XOR decoding
  • Lua: Users can now control access to more rule info (see “Supply Chain Attack Protection” above)
  • Dataset Improvements, including IP sets: Datasets can now use a new type to represent IPv4 and IPv6 addresses. New commands were also added to update the dataset from Unix socket
  • New Detection Logic: “multi-buffer” keywords like dns.query now have new detection logic
  • New Rule Profiling Mode: Eric Leblond of Stamus Networks added a lighter version of the rule profiling that can be run in production and will run periodically for a short time to highlight rules that could have negative impacts on performance. The feature allows the user to actively pinpoint rules that are bottlenecks for performance - without impacting production deployments  performance. This was not possible in earlier versions.
  • Support for VN-Tag
  • Modbus rewritten to Rust with Eve logging
  • Minimal Telnet Parser
  • Active Flow and TCP Counters 
  • Network Service Header 
  • SMB Enhancements 
  • TLS Enhancements
  • SMTP Enhancements
  • Support for Libhtp 0.5.45
  • New Rule Keywords for DHCP, Kerberos, SNMP, TLS, QUIC
  • JA3(s) Support for QUIC
  • New (experimental) keyword class through “frames API” - NFS, SMB, DNS, telnet, SSL/TLS
  • File.data support for HTTP request files and NFS
  • file.data MPM Split per App Protocol

Forensic Evidence

  • Conditional Packet Capture: With this feature, packets can only be written to disk after an alert has been triggered. Full Packet Capture (FPC) has been included in Suricata since 2010, but requests from the community for conditional packet capture were answered by Eric Leblond of Stamus Networks and presented at Suricon 2021. In addition to logging all packets, users can now define the alert based logging to ensure that only the flows related to an alert are stored as a PCAP. Additionally, a tag keyword is now available to log specific flows based on a signature match, allowing analysts to dig deeper into potential attacks without significant impact to performance or storage requirements. Note: GopherCap can be used to extract PCAPs based on the data present in the EVE JSON logs.

Configuration and Performance Enhancements 

  • Exception Policy: When Suricata is in IPS mode, users now have better control of packet handling and can make exceptions in various conditions, such as memory caps being hit. IDS mode, by comparison, will ignore those expectations by default. 
  • New Default DROP Behavior: When Suricata is in IPS mode, traffic exceptions will result in a close, thus dropping the flow. Note: this can be disabled to allow such flows to pass.
  • DPDK IDS/IPS Support for Primary Mode: Suricata 7 introduces a new capture method which uses DPDK (Data Plane Development Kit) to provide a potential performance benefit and lays the groundwork for even more dedicated scenarios.  With DPDK Suricata can attach more directly to the network capture provided by the NIC and bypass the Linux kernel. In some tests this feature showed 15-20% better capture performance.  Stamus Networks will put these claims to the test on Stamus appliances.
  • AF_XDP: This is an alternative capture method to the already known methods like AF_PACKET. AF_XDP was added to the Linux kernel in version 4.8 and provides an early hook into the receiving path in the kernel and allows the usage of eBPF programs to determine what happens to a packet.
  • Faster Detection Engine Computation: Suricata 7 was improved to decrease CPU usage and increase the speed at which a user can switch to a new detection policy (from 50s to 5s on a big ruleset).
  • Improvements to IPS Drop Handling and Exception Policies
  • Stream Engine Fixes and Improvements: Improved memory efficiency
  • Log Drop

Additional Information Available from the OISF

It is important for us to note that this is not an exhaustive list of all the improvements and features added to Suricata 7. To see the full list of changes, consult the Suricata 7 blog article.

For more information on how to upgrade from Suricata 6.0 to Suricata 7.0, please visit the Suricata User Guide

Suricata 7 was made possible by many contributors around the world. A full list is made available on Suricata.io.

More on the history of Suricata

The Suricata project began in 2008 by Matt Jonkman, Victor Julian and Will Metcalf on a grant from the U.S. Department of Homeland Security (DHS) to build the world’s first multi-threaded IDS/IPS. In the time since, Suricata has grown into an incredibly powerful network security system with the inclusion of full-featured packet capture, scripting, and network security monitoring capabilities that compete with even the most advanced custom built solutions. My colleague Eric Leblond documented the first 12 years in this blog post: https://www.stamus-networks.com/blog/suricata-the-first-12-years-of-innovation 

Since its inception, Suricata has functioned as the foundation of many successful commercial products and spawned an incredible ecosystem of independent ruleset/signature and threat intelligence providers.

The founders of Stamus Networks, Eric LeBlond and Peter Manev, joined the Suricata project in 2009 and have since become prolific contributors, eventually joining the OISF executive team. In time, they founded Stamus Networks and released the first version of SELKS, a free open source turnkey Suricata-based IDS/IPS/NSM system with its own graphic rule manager, dashboards, and visualizations to showcase the power of Suricata. SELKS is the perfect system to evaluate, experiment, and learn with Suricata within your own environment.

Eventually, Peter and Eric developed the Stamus Security Platform, a broad-spectrum, open network-based threat detection and response (NDR) system built on the foundation of Suricata. 

The Stamus Security Platform was recently included in Gartner’s 2022 “Market Guide for Network Detection and Response” as one of only 5 vendors that built their NDR solution on Suricata, though it is likely that even more vendors have done the same without self-identifying. This is a testament not only to the power of Suricata-based network security, but also showcases Stamus Networks’ expertise on the Suricata engine.   

Get Suricata 7 today in SELKS

We created SELKS to showcase the power of Suricata. And when you download and install SELKS, you are always getting the latest version of Suricata. So, if you are reading this and wish to begin experimenting with Suricata 7, you can download the turnkey SELKS package and begin immediately. 

In addition to including the latest version of Suricata, we continually add to the useful capabilities of SELKS. For example, we recently added a number of dashboards and visualizations to the current version available. See https://github.com/StamusNetworks/KTS7

Here’s the link to the complete SELKS ISO images and Docker Compose versions ready to install on a bare metal system: https://www.stamus-networks.com/selks 

Here’s the GitHub repository with all the documentation and source code: https://github.com/StamusNetworks/SELKS 

When will Suricata 7 features be included in SSP?

The following Suricata 7 features are already part of Stamus Security Platform (SSP) as of Update 39 (U39) because they were developed and contributed the Stamus Networks team or backported into SSP prior to Suricata 7: 

  • Conditional packet capture
  • Supply chain attack protection
  • Dataset improvements
  • New rule profiling
  • Enhanced SMB protocol support
  • VN-Tag

SSP users can expect to see full integration of Suricata 7 into SSP in the coming months. We are constantly working to provide our users with the most useful detection capabilities possible, and Suricata 7 is just one of the ways we do that. 

Additional thoughts

We are incredibly grateful to have played a part in the development of Suricata 7, and thanks to a thriving development and user community we expect to see even more exciting improvements in the future. To stay informed on Suricata news and related information, make sure to make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.