Suricata 8.0.0 Roadmap

As of 2025-05-02 04:28:02 UTC

usecase: improve firewall usecase 7164 [2/4]

• [In Progress] firewall: comprehensive rules tests (7269)
• [In Review] userguide: document usage of Suricata as a firewall (6270)
• [Closed ] rules/actions: explicit action scopes (7481)
• [Closed ] rules: allow specifying explicit hooks (7485)

deployment: improve secure deployment 7160 [0/2]

• [New ] landlock: enable by default (6936)
• [In Progress] ppa: run as a non-root user (6952)

extensibility: plugins 7148 [6/6]

• [Closed ] eve/filetypes: move from plugin api to eve api (6838)
• [Closed ] Output plugins receive identifier, but not thread identifier (6408)
• [Closed ] plugins: support creating app-layer parser, logger and detect (4102)
• [Closed ] plugins: convert an app-layer to use the plugin API (snmp) (4103)
• [Closed ] pfring: move into bundled plugin (7162)
• [Closed ] napatech: move into bundled plugin (7165)

misc: supply chain risk improvements 7147 [1/1]

• [Closed ] reimplement systemd sd_notify w/o linking to libsystemd (6913)

misc: general improvements and cleanups 7141 [1/1]

• [Closed ] byte_extract: convert keyword/option parsing to Rust (6873)

protocols: C to Rust conversions 7140 [3/3]

• [Closed ] enip: convert protocol parser to rust (3958)
• [Closed ] mime: multi-part parser in Rust (3487)
• [Closed ] http: implement parser in rust (2696)

lua: sandboxed lua support with mimimum set of bindings 7128 [17/25]

• [New ] lua: turn file into lua lib (7491)
• [New ] lua: turn ja3 into lib (7605)
• [New ] lua: turn smtp into lib (7606)
• [Assigned] lua: fix inconsistency in the init “needs” key (4753)
• [Assigned] lua: turn tls into lib (7608)
• [Assigned] lua: suricata.util lib (7609)
• [In Progress] lua: turn flowints into lib (7487)
• [In Review] lua: use script as transform (2290)
• [Closed ] lua: vendor latest lua stable (4776)
• [Closed ] lua: use a rust crate to vendor lua (6961)
• [Closed ] lua: implement sandboxing (4777)
• [Closed ] lua: incremement stat when a lua rule exhausts its instruction count (6939)
• [Closed ] lua: handle errors in lua rules (6940)
• [Closed ] lua: expose base64 functions (7074)
• [Closed ] lua: expose hashing functions (md5/sha1/sha256) (7073)
• [Closed ] lua: expose dataset functions (7243)
• [Closed ] lua: turn flowvars into lib (7486)
• [Closed ] lua: turn packet into lib (7488)
• [Closed ] lua: turn flow into lib (7489)
• [Closed ] lua: turn rule into lua lib (7490)
• [Closed ] lua: turn dnp3 into lib (7601)
• [Closed ] lua: turn dns into lib (7602)
• [Closed ] lua: turn hassh into lib (7603)
• [Closed ] lua: turn http into lib (7604)
• [Closed ] lua: turn ssh into lib (7607)

rules: improve rule language 7124 [3/6]

• [New ] frames: support rules with multiple different frames (7092)
• [Assigned] detect/frames: allow mixing with txs (5049)
• [Assigned] ftp: add stream app-layer frame support (4906)
• [Closed ] rules: bidirectional transaction matching (5665)
• [Closed ] rules: negated http_* match returns false if buffer not populated (2224)
• [Closed ] detect/transform: from_base64 (6487)

protocols: protocol additions 7119 [5/6]

• [Assigned] protocols: implement mDNS (3952)
• [Closed ] websocket support (2695)
• [Closed ] protocol: LDAP support (1199)
• [Closed ] arp: implement decoder and logger (6827)
• [Closed ] doh: support DNS over HTTPS (DoH) (5773)
• [Closed ] sip: parse traffic over tcp (3351)

rules: improve rules keyword/output parity 6597 [6/15]

• [New ] mime: add email.status keyword (7594)
• [New ] mime: add rule keywords (7600)
• [Assigned] DNS: parity between log fields and detection (5642)
• [Assigned] detect: smtp keyword coverage (6473)
• [Assigned] mime: expose ‘headers’ as a keyword (7586)
• [In Progress] ftp: parity of logging and detection buffers (6476)
• [In Progress] eve/output: investigate how to track coverage / parity (6463)
• [In Progress] ldap: add keywords to match output (7452)
• [In Review] mime: add email.body_md5 keyword (7587)
• [Closed ] mime: add email.cc keyword (7588)
• [Closed ] mime: add email.date keyword (7591)
• [Closed ] mime: add email.from keyword (7592)
• [Closed ] mime: add email.message_id keyword (7593)
• [Closed ] mime: add email.subject keyword (7595)
• [Closed ] mime: add email.to keyword (7596)