Suricata 9.0.0 Roadmap

As of 2025-10-15 06:28:02 UTC

9.0.0: rules: improve rules keyword/output parity 7901 [1/8]

• [New ] mime: add rule keywords (7600)
• [New ] mime: add email.status keyword (7594)
• [Assigned] mime: expose ‘headers’ as a keyword (7586)
• [Assigned] detect: smtp keyword coverage (6473)
• [Assigned] DNS: parity between log fields and detection (5642)
• [In Progress] ldap: add keywords to match output (7452)
• [In Progress] ftp: parity of logging and detection buffers (6476)
• [Closed ] mime: add email.body_md5 keyword (7587)

9.0.0: rules: improve rule language 7900 [2/9]

• [New ] http.headers - dynamic sticky buffers (5775)
• [Assigned] detect/frames: allow mixing with txs (5049)
• [Assigned] ftp: add stream app-layer frame support (4906)
• [In Progress] detect: review existing keywords for usage of bitflags (6724)
• [In Progress] rules: keyword for “count” of http_header_names (5044)
• [In Review] Dataset is setting data despite the signature being a complete match (5576)
• [In Review] detect/integers: support a count argument for array of integers (7211)
• [Closed ] detect: review existing keywords for usage of enumerations (6723)
• [Closed ] detect/integers: array of integers should support an optional second argument to (7480)

9.0.0: protocols: C to Rust conversions 7761 [0/0]

9.0.0: deployment: improve secure deployment 7760 [0/1]

• [New ] landlock: enable by default (6936)

9.0.0: protocols: protocol additions 7584 [0/3]

• [New ] HTTP/3 support (6472)
• [New ] websockets: support over HTTP/2 (6729)
• [In Progress] smb: support multi-stream file transfers (4861)

9.0.0: usecase: improve firewall usecase 7583 [0/7]

• [New ] firewall: make verdict fields in alert and drop mandatory (7700)
• [Assigned] firewall: allow request/response action scopes (7697)
• [Assigned] firewall: separate stats for ips and firewall (7699)
• [Feedback] firewall: default settings; locked settings (7706)
• [Feedback] firewall: allow single packet rule to accept tcp connection (7704)
• [Feedback] firewall: allow single rule to accept protocol detection in progress and the fin (7705)
• [In Progress] firewall: comprehensive rules tests (7269)