Feedback on evaluation of Suricata-8.0.0-beta1

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Adolf Belka <adolf.belka@ipfire.org>
To: "IPFire: Development-List" <development@lists.ipfire.org>
Subject: Feedback on evaluation of Suricata-8.0.0-beta1
Date: Tue, 3 Jun 2025 21:00:05 +0200	[thread overview]
Message-ID: <98524397-9ffa-4a72-91d3-0d13da6aa04f@ipfire.org> (raw)

Hi everyone,

So I have good news and bad news.

The good news is that, apart from minor adjustment of the patch to disable sid-2210059, suricata-8.0.0-beta1 built without any issues.

I then installed the iso I had built with it and the IPS started up and worked as expected, so also good news.

Suricata-8 has some new capabilities such as landlocked is enabled by default now, Suricata can be used via sockets and encrypted traffic bypass has been decoupled from stream.bypass setting.
These may or may not require or benefit from modifications in how Suricata is used in IPFire. I am not knowledgeable enough currently to judge that.

The bad news is that the syslog output is deprecated in Suricata-8 and will be removed in Suricata-9.
It will still work in Suricata-8 but we will need to figure out how to change how we log some things before we move to Suricata-9 but at least we have some time, so better to find this out now.

libhtp is no longer being used by Suricata. They have replaced it with a rust version. So libhtp should be able to be removed.
I will test this out.
I tried ./make.sh find-dependencies on libhtp.so.2 and libhtp.so.2.0.0 but both with Suricata 8 and the existing suricata 7 version the command showed no dependencies on libhtp. I would have expected it to be shown as a dependency for suricata.
We have a libhtp section in the suricata.yaml file.

Regards,
Adolf.

next             reply	other threads:[~2025-06-03 19:00 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-03 19:00 Adolf Belka [this message]
2025-06-04 11:56 ` Adolf Belka
2025-06-04 15:57   ` Michael Tremer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=98524397-9ffa-4a72-91d3-0d13da6aa04f@ipfire.org \
    --to=adolf.belka@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox