4. Upgrading
4.1. General instructions
Suricata can be upgraded by simply installing the new version to the same
locations as the already installed version. When installing from source,
this means passing the same --prefix
, --sysconfdir
,
--localstatedir
and --datadir
options to configure
.
$ suricata --build-info|grep -A 3 '\-\-prefix'
--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
4.1.1. Configuration Updates
New versions of Suricata will occasionally include updated config files:
classification.config
and reference.config
. Since the Suricata
installation will not overwrite these if they exist, they must be manually
updated. If there are no local modifications they can simply be overwritten
by the ones Suricata supplies.
Major updates include new features, new default settings and often also remove features.
4.2. Upgrading to 6.0.13
Lua rules have been disabled. To enable them see Configuration hardening.
Absolute filenames and filenames containing parent directory traversal are no longer allowed by default for datasets when the filename is specified as part of a rule. See Datasets Security and Datasets File Locations for more information.
4.3. Upgrading from 6.0.4 to 6.0.5
FTP has been updated with a maximum command request and response line length of 4096 bytes. To change the default see FTP.
4.4. Upgrading 5.0 to 6.0
SIP now enabled by default
RDP now enabled by default
ERSPAN Type I enabled by default.
4.4.1. Major changes
New protocols enabled by default: mqtt, rfb
SSH Client fingerprinting for SSH clients
Conditional logging
Initial HTTP/2 support
DCERPC logging
Improved EVE logging performance
4.4.2. Removals
File-store v1 has been removed. If using file extraction, the file-store configuration will need to be updated to version 2. See Update File-store v1 Configuration to V2.
Individual Eve (JSON) loggers have been removed. For example,
stats-json
,dns-json
, etc. Use multiple Eve logger instances if this behavior is still required. See Multiple Logger Instances.Unified2 has been removed. See Unified2 Output Removed.
4.5. Upgrading 4.1 to 5.0
4.5.1. Major changes
New protocols enabled by default: snmp (new config only)
New protocols disabled by default: rdp, sip
New defaults for protocols: nfs, smb, tftp, krb5 ntp are all enabled by default (new config only)
VXLAN decoder enabled by default. To disable, set
decoder.vxlan.enabled
tofalse
.HTTP LZMA support enabled by default. To disable, set
lzma-enabled
tofalse
in each of thelibhtp
configurations in use.classification.config updated. ET 5.0 ruleset will use this.
decoder event counters use 'decoder.event' as prefix now. This can be controlled using the
stats.decoder-events-prefix
setting.
4.5.2. Removals
dns-log
, the text dns log. Use EVE.dns instead.file-log
, the non-EVE JSON file log. Use EVE.files instead.drop-log
, the non-EVE JSON drop log.