The Open Information Security Foundation (OISF) announced a few days ago the release of the new version of Suricata 8.0, a version that marks a major leap in functionality, performance, and security for this intrusion detection and prevention system (IDS/IPS).
After two years of development, Suricata is positioned as a more robust and flexible solution, with experimental firewall capabilities, a more secure Lua environment, an optimized engine, and extensive support for new protocols.
Main novelties of Suricata 8.0
One of the notable functions is the new firewall mode, that allows the use of a formalized dialect of the rules language Suricata's real-time packet filtering. Although considered experimental, this feature marks the beginning of a closer integration between active threat detection and prevention.
This new firewall implements a default drop policy, evaluates rules based on protocol state "hooks," and requires explicit definition of what traffic is allowed.
Another new feature in Suricata 8.0 is that now includes Lua 5.4 built in by default, This ensures consistency across all environments. Additionally, Lua runs in a security sandbox that prevents high-risk actions such as:
- Writing in files.
- Opening sockets or accessing the operating system.
- Loading third-party modules.
In addition, Lua-based rules are enabled by default and can be extended using secure libraries documented by the OISF.
Performance and architecture improvements
Suricata's detection engine has received multiple optimizations:
- Branch prediction and hash function improvement.
- Faster PCAP reading with larger buffers.
- Faster startup with improved port grouping and pattern caching.
- Stream synchronization optimization and reassembly.
Suricata 8.0 too allows dynamic registration of plugins and protocol analyzers, facilitating custom extensions without modifying the main source code.
Converting to Rust: More Security and Performance
In addition, in Suricata 8.0, several critical modules were rewritten in Rust to improve the system's security and robustness. These include:
- LibHTP (HTTP parsing).
- Support for FTP, ENIP, MIME, base64, byte_extract.
- Decoders for SIP, MQTT, RFB and SNMP.
- The suricatasc command was also ported to Rust.
In addition, Suricata 8.0 also includes support for several new protocols and analysis features:
- DNS over HTTPS (DoH)
- LDAP
- mDNS (Multicast DNS)
- POP3 (with decoder and logger)
- WebSocket
- SDP over SIP, and SIP over TCP
- ARP (new decoder and logger)
New rules and detection
The new version includes an expanded set of keywords and capabilities for writing more complex and efficient rules:
- Transactional rules: allow you to describe both directions of a transaction in a single rule.
- New keywords: entropy, from_base64, luaxform, tcp.wscale, pgsql.query, mDNS, requires.
- Support for JSON data in datasets to enrich alerts.
- Improved support for detection based on absent, vlan.id, TLS, FTP, SMTP, LDAP, EMAIL, and more.
On the extensions side, Suricata 8.0 has been improved with:
- Public API for custom output logging.
- Plugins for Napatech, PF_RING (now as external plugins).
- Initial nDPI support as an add-on.
- Detailed counters for exception policies.
- Statistics on skipped reassemblies and ignored rules.
- New metrics for memory management, BPF usage, and packet drops.
- Greater detail in EVE output schematics.
Finally, if you are interested in being able to know more about it, you can consult the details in the following link
Download and availability
Suricata 8.0 is now available from the official repository. The source code can be obtained on GitHub or through the packages distributed by the OISF for various platforms.
To install this utility, we can do it by adding the following repository to our system. To do this, just type the following commands:
sudo apt-get install software-properties-common sudo add-apt-repository ppa:oisf/suricata-stable sudo apt-get update sudo apt-get install suricata
In case you have problems with dependencies, with the following command it is solved:
sudo apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libmagic-dev libjansson-dev libjansson4
Installation done, it is recommended to disable any offloead feature pack on the NIC that Suricata is listening to.
They can disable LRO / GRO on the eth0 network interface using the following command:
sudo ethtool -K eth0 gro off lro off
Meerkat supports a number of operating modes. We can see the list of all execution modes with the following command:
sudo /usr/bin/suricata --list-runmodes
The default run mode used is autofp stands for "automatic fixed flow load balancing". In this mode, packets from each different stream are assigned to a single detection thread. The flows are assigned to the threads with the lowest number of unprocessed packets.
Now we can proceed to start Suricata in pcap live mode, using the following command:
sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens160 --init-errors-fatal