Suricata 8.0.0 Roadmap - Draft

# Suricata 8.0.0 Roadmap ## usecase: improve firewall usecase ([7164](https://redmine.openinfosecfoundation.org/issues/7164)) - [New] userguide: document usage of Suricata as a firewall ([6270](https://redmine.openinfosecfoundation.org/issues/6270)) - [In Progress] firewall: comprehensive rules tests ([7269](https://redmine.openinfosecfoundation.org/issues/7269)) ## deployment: improve secure deployment ([7160](https://redmine.openinfosecfoundation.org/issues/7160)) - [New] landlock: enable by default ([6936](https://redmine.openinfosecfoundation.org/issues/6936)) - [Assigned] ppa: run as a non-root user ([6952](https://redmine.openinfosecfoundation.org/issues/6952)) ## extensibility: plugins ([7148](https://redmine.openinfosecfoundation.org/issues/7148)) - [Closed] eve/filetypes: move from plugin api to eve api ([6838](https://redmine.openinfosecfoundation.org/issues/6838)) - [Closed] Output plugins receive identifier, but not thread identifier ([6408](https://redmine.openinfosecfoundation.org/issues/6408)) - [New] plugins: support creating app-layer parser, logger and detect ([4102](https://redmine.openinfosecfoundation.org/issues/4102)) - [New] plugins: convert DNS to use the plugin API ([4103](https://redmine.openinfosecfoundation.org/issues/4103)) - [In Review] pfring: move into bundled plugin ([7162](https://redmine.openinfosecfoundation.org/issues/7162)) ## misc: supply chain risk improvements ([7147](https://redmine.openinfosecfoundation.org/issues/7147)) - [Closed] reimplement systemd sd_notify w/o linking to libsystemd ([6913](https://redmine.openinfosecfoundation.org/issues/6913)) ## misc: general improvements and cleanups ([7141](https://redmine.openinfosecfoundation.org/issues/7141)) - [Closed] byte_extract: convert keyword/option parsing to Rust ([6873](https://redmine.openinfosecfoundation.org/issues/6873)) - [New] Convert Rule Profile JSON output to JsonBuilder ([4937](https://redmine.openinfosecfoundation.org/issues/4937)) - [In Progress] Convert Stats to JsonBuilder ([3766](https://redmine.openinfosecfoundation.org/issues/3766)) ## protocols: C to Rust conversions ([7140](https://redmine.openinfosecfoundation.org/issues/7140)) - [Closed] enip: convert protocol parser to rust ([3958](https://redmine.openinfosecfoundation.org/issues/3958)) - [Closed] mime: multi-part parser in Rust ([3487](https://redmine.openinfosecfoundation.org/issues/3487)) - [Assigned] smtp: convert parser to Rust ([4098](https://redmine.openinfosecfoundation.org/issues/4098)) - [In Progress] http: implement parser in rust ([2696](https://redmine.openinfosecfoundation.org/issues/2696)) ## lua: sandboxed lua support with mimimum set of bindings ([7128](https://redmine.openinfosecfoundation.org/issues/7128)) - [In Progress] lua: vendor latest lua stable ([4776](https://redmine.openinfosecfoundation.org/issues/4776)) - [In Progress] lua create: use a rust crate to vendor lua ([6961](https://redmine.openinfosecfoundation.org/issues/6961)) - [In Review] lua: use script as transform ([2290](https://redmine.openinfosecfoundation.org/issues/2290)) - [Closed] lua: implement sandboxing ([4777](https://redmine.openinfosecfoundation.org/issues/4777)) - [Closed] lua: incremement stat when a lua rule exhausts its instruction count ([6939](https://redmine.openinfosecfoundation.org/issues/6939)) - [Closed] lua: handle errors in lua rules ([6940](https://redmine.openinfosecfoundation.org/issues/6940)) - [New] lua: expose base64 functions ([7074](https://redmine.openinfosecfoundation.org/issues/7074)) - [New] lua: expose hashing functions (md5/sha1/sha256) ([7073](https://redmine.openinfosecfoundation.org/issues/7073)) - [New] lua: fix inconsistency in the init "needs" key ([4753](https://redmine.openinfosecfoundation.org/issues/4753)) - [In Progress] lua: expose dataset functions ([7243](https://redmine.openinfosecfoundation.org/issues/7243)) ## rules: improve rule language ([7124](https://redmine.openinfosecfoundation.org/issues/7124)) - [In Review] rules: bidirectional transaction matching ([5665](https://redmine.openinfosecfoundation.org/issues/5665)) - [In Review] Negated http_* match returns false if buffer not populated ([2224](https://redmine.openinfosecfoundation.org/issues/2224)) - [In Progress] tracking: detect: integer as first-class support ([6644](https://redmine.openinfosecfoundation.org/issues/6644)) - [New] frames: support rules with multiple different frames ([7092](https://redmine.openinfosecfoundation.org/issues/7092)) - [Assigned] detect/frames: allow mixing with txs ([5049](https://redmine.openinfosecfoundation.org/issues/5049)) - [Assigned] ftp: add stream app-layer frame support ([4906](https://redmine.openinfosecfoundation.org/issues/4906)) - [Closed] transform: from_base64 ([6487](https://redmine.openinfosecfoundation.org/issues/6487)) ## protocols: protocol additions ([7119](https://redmine.openinfosecfoundation.org/issues/7119)) - [Closed] websocket support ([2695](https://redmine.openinfosecfoundation.org/issues/2695)) - [Closed] protocol: LDAP support ([1199](https://redmine.openinfosecfoundation.org/issues/1199)) - [In Progress] protocol support: STUN ([7068](https://redmine.openinfosecfoundation.org/issues/7068)) - [Assigned] mDNS protocol implementation ([3952](https://redmine.openinfosecfoundation.org/issues/3952)) - [Closed] arp: implement decoder and logger ([6827](https://redmine.openinfosecfoundation.org/issues/6827)) - [Closed] Support DNS over HTTPS (DoH) ([5773](https://redmine.openinfosecfoundation.org/issues/5773)) - [New] HTTP/3 support ([6472](https://redmine.openinfosecfoundation.org/issues/6472)) - [Closed] sip: parse traffic over tcp ([3351](https://redmine.openinfosecfoundation.org/issues/3351)) - [In Progress] smb: support multi-stream file transfers ([4861](https://redmine.openinfosecfoundation.org/issues/4861)) ## rules: improve rules keyword/output parity ([6597](https://redmine.openinfosecfoundation.org/issues/6597)) - [Assigned] DNS: parity between log fields and detection ([5642](https://redmine.openinfosecfoundation.org/issues/5642)) - [Assigned] app-layer: rust derive style macros to generate common code ([4153](https://redmine.openinfosecfoundation.org/issues/4153)) - [New] ftp: parity of logging and detection buffers ([6476](https://redmine.openinfosecfoundation.org/issues/6476)) - [Assigned] detect: smtp keyword coverage ([6473](https://redmine.openinfosecfoundation.org/issues/6473)) - [New] eve/output: investigate how to track coverage / parity ([6463](https://redmine.openinfosecfoundation.org/issues/6463))