4. Upgrading

4.1. General instructions

Suricata can be upgraded by simply installing the new version to the same locations as the already installed version. When installing from source, this means passing the same --prefix, --sysconfdir, --localstatedir and --datadir options to configure.

$ suricata --build-info|grep -A 3 '\-\-prefix'
    --prefix                                 /usr
    --sysconfdir                             /etc
    --localstatedir                          /var
    --datarootdir                            /usr/share

4.1.1. Configuration Updates

New versions of Suricata will occasionally include updated config files: classification.config and reference.config. Since the Suricata installation will not overwrite these if they exist, they must be manually updated. If there are no local modifications they can simply be overwritten by the ones Suricata supplies.

Major updates include new features, new default settings and often also remove features.

4.2. Upgrading 6.0 to 7.0

4.2.1. Major changes

4.2.2. Removals

  • The libprelude output plugin has been removed.

4.2.3. Logging changes

  • IKEv2 Eve logging changed, the event_type has become ike. The fields errors and notify have moved to ike.ikev2.errors and ike.ikev2.notify.

4.2.4. Other changes

  • NSS is no longer required. File hashing and JA3 can now be used without the NSS compile time dependency.

4.2.5. Logging changes

  • Protocol values and their names are built-in to Suricata instead of using the system’s /etc/protocols file. Some names and casing may have changed in the values proto in eve.json log entries and other logs containing protocol names and values. See https://redmine.openinfosecfoundation.org/issues/4267 for more information.

4.3. Upgrading 5.0 to 6.0

  • SIP now enabled by default
  • RDP now enabled by default
  • ERSPAN Type I enabled by default.

4.3.1. Major changes

  • New protocols enabled by default: mqtt, rfb
  • SSH Client fingerprinting for SSH clients
  • Conditional logging
  • Initial HTTP/2 support
  • DCERPC logging
  • Improved EVE logging performance

4.3.2. Removals

4.4. Upgrading 4.1 to 5.0

4.4.1. Major changes

  • New protocols enabled by default: snmp (new config only)
  • New protocols disabled by default: rdp, sip
  • New defaults for protocols: nfs, smb, tftp, krb5 ntp are all enabled by default (new config only)
  • VXLAN decoder enabled by default. To disable, set decoder.vxlan.enabled to false.
  • HTTP LZMA support enabled by default. To disable, set lzma-enabled to false in each of the libhtp configurations in use.
  • classification.config updated. ET 5.0 ruleset will use this.
  • decoder event counters use ‘decoder.event’ as prefix now. This can be controlled using the stats.decoder-events-prefix setting.

4.4.2. Removals

  • dns-log, the text dns log. Use EVE.dns instead.
  • file-log, the non-EVE JSON file log. Use EVE.files instead.
  • drop-log, the non-EVE JSON drop log.

See https://suricata-ids.org/about/deprecation-policy/