4.1. General instructions¶
Suricata can be upgraded by simply installing the new version to the same
locations as the already installed version. When installing from source,
this means passing the same
--datadir options to
$ suricata --build-info|grep -A 3 '\-\-prefix' --prefix /usr --sysconfdir /etc --localstatedir /var --datarootdir /usr/share
4.1.1. Configuration Updates¶
New versions of Suricata will occasionally include updated config files:
reference.config. Since the Suricata
installation will not overwrite these if they exist, they must be manually
updated. If there are no local modifications they can simply be overwritten
by the ones Suricata supplies.
Major updates include new features, new default settings and often also remove features.
4.2. Upgrading 6.0 to 7.0¶
4.2.1. Major changes¶
- Upgrade of PCRE1 to PCRE2. See Changes from PCRE1 to PCRE2 for more details.
- IPS users: by default various new “exception policies” are set to DROP traffic. Please see Exception Policies for details on the settings and their scope.
4.2.2. Security changes¶
- suricata.yaml now prevents process creation by Suricata by default with security.limit-noproc. The suricata.yaml configuration file needs to be updated to enable this feature. For more info, see Configuration hardening.
- The libprelude output plugin has been removed.
- EVE DNS v1 logging support has been removed. If still using EVE DNS v1 logging, see the manual section on DNS logging configuration for the current configuration options: DNS EVE Configuration
4.2.4. Logging changes¶
- IKEv2 Eve logging changed, the event_type has become
ike. The fields
notifyhave moved to
- FTP DATA metadata for alerts are now logged in
ftp_datainstead of root.
xfffield is now logged as
alert.xfffor alerts instead of at the root.
4.2.5. Other changes¶
- NSS is no longer required. File hashing and JA3 can now be used without the NSS compile time dependency.
- If installing Suricata without the bundled Suricata-Update, the
default-rule-pathhas been changed from
/var/lib/suricata/rulesto be consistent with Suricata when installed with Suricata-Update.
- FTP has been updated with a maximum command request and response line length of 4096 bytes. To change the default see FTP.
- SWF decompression in http has been disabled by default. To change the default see Configure HTTP (libhtp). Users with configurations from previous releases may want to modify their config to match the new default. See https://redmine.openinfosecfoundation.org/issues/5632 for more information.
4.2.6. Logging changes¶
- Protocol values and their names are built-in to Suricata instead of using the system’s
/etc/protocolsfile. Some names and casing may have changed in the values
eve.jsonlog entries and other logs containing protocol names and values. See https://redmine.openinfosecfoundation.org/issues/4267 for more information.
4.3. Upgrading 5.0 to 6.0¶
- SIP now enabled by default
- RDP now enabled by default
- ERSPAN Type I enabled by default.
4.3.1. Major changes¶
- New protocols enabled by default: mqtt, rfb
- SSH Client fingerprinting for SSH clients
- Conditional logging
- Initial HTTP/2 support
- DCERPC logging
- Improved EVE logging performance
- File-store v1 has been removed. If using file extraction, the file-store configuration will need to be updated to version 2. See Update File-store v1 Configuration to V2.
- Individual Eve (JSON) loggers have been removed. For example,
dns-json, etc. Use multiple Eve logger instances if this behavior is still required. See Multiple Logger Instances.
- Unified2 has been removed. See Unified2 Output Removed.
4.4. Upgrading 4.1 to 5.0¶
4.4.1. Major changes¶
- New protocols enabled by default: snmp (new config only)
- New protocols disabled by default: rdp, sip
- New defaults for protocols: nfs, smb, tftp, krb5 ntp are all enabled by default (new config only)
- VXLAN decoder enabled by default. To disable, set
- HTTP LZMA support enabled by default. To disable, set
falsein each of the
libhtpconfigurations in use.
- classification.config updated. ET 5.0 ruleset will use this.
- decoder event counters use ‘decoder.event’ as prefix now. This can
be controlled using the
dns-log, the text dns log. Use EVE.dns instead.
file-log, the non-EVE JSON file log. Use EVE.files instead.
drop-log, the non-EVE JSON drop log.