Suricata 2.0.2 Windows Installer Available

The Windows MSI installer of the Suricata 2.0.2 release is now available.

Download it here: Suricata-2.0.2-1-32bit.msi

After downloading, double click the file to launch the installer. The installer is now signed.

If you have a previous version installed, please remove that first.

Suricata Ubuntu PPA updated to 2.0.2

We have updated the official Ubuntu PPA to Suricata 2.0.2. To use this PPA read our docs here.

To install Suricata through this PPA, enter:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata

If you’re already using this PPA, updating is as simple as:
sudo apt-get update && sudo apt-get upgrade

The PPA Ubuntu packages have IPS mode through NFQUEUE enabled.

Suricata 2.0.2 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0.2. This release fixes a number of issues in the 2.0 series.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.2.tar.gz

Notable changes

  • IP defrag issue leading to evasion. Bug discovered by Antonios Atlasis working with ERNW GmbH
  • Support for NFLOG as a capture method. Nice work by Giuseppe Longo
  • DNS TXT parsing and logging. Funded by Emerging Threats
  • Log rotation through SIGHUP. Created by Jason Ish of Endace/Emulex

All closed tickets

  • Feature #781: IDS using NFLOG iptables target
  • Feature #1158: Parser DNS TXT data parsing and logging
  • Feature #1197: liblua support
  • Feature #1200: sighup for log rotation
  • Bug #1098: http_raw_uri with relative pcre parsing issue
  • Bug #1175: unix socket: valgrind warning
  • Bug #1189: abort() in 2.0dev (rev 6fbb955) with pf_ring 5.6.3
  • Bug #1195: nflog: cppcheck reports memleaks
  • Bug #1206: ZC pf_ring not working with Suricata 2.0.1 (or latest git)
  • Bug #1211: defrag issue
  • Bug #1212: core dump (after a while) when app-layer.protocols.http.enabled = yes
  • Bug #1214: Global Thresholds (sig_id 0, gid_id 0) not applied correctly if a signature has event vars
  • Bug #1217: Segfault in unix-manager.c line 529 when using –unix-socket and sending pcap files to be analized via socket

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Jason Ish — Endace/Emulex
  • Tom Decanio — nPulse
  • Antonios Atlasis working with ERNW GmbH
  • Alessandro Guido
  • Mats Klepsland
  • @rmkml
  • Luigi Sandon
  • Christie Bunlon
  • @42wim
  • Jeka Pats
  • Noam Meltzer
  • Ivan Ristic

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.1 Windows Installer Available

The Windows MSI installer of the Suricata 2.0.1 release is now available.

Download it here: Suricata-2.0.1-1-32bit.msi

After downloading, double click the file to launch the installer. The installer is now signed.

If you have a previous version installed, please remove that first.

Suricata Ubuntu PPA updated to 2.0.1

We have updated the official Ubuntu PPA to Suricata 2.0.1. To use this PPA read our docs here.

To install Suricata through this PPA, enter:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata

If you’re already using this PPA, updating is as simple as:
sudo apt-get update && sudo apt-get upgrade

The PPA Ubuntu packages have IPS mode through NFQUEUE enabled.

Fedora 20 gets Suricata 2.0

Fedora maintainer Steve Grubb updated the Suricata package in Fedora 20 to 2.0.

If you are running Fedora, updating is as simple as:
yum update

Installing is as simple as:
yum install suricata

The Fedora package has IPS mode through NFQUEUE enabled.

Suricata 2.0.1 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0.1. This release brings TLS Heartbleed detection and fixes a number of issues in the 2.0 release.  There were no changes since 2.0.1rc1.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.1.tar.gz

Notable changes

  • OpenSSL Heartbleed detection. Thanks to Pierre Chifflier and Will Metcalf
  • Fixed Unix Socket runmode
  • Fixed AF_PACKET IPS support

All closed tickets

  • Feature #1157: Always create pid file if –pidfile command line option is provided
  • Feature #1173: tls: OpenSSL heartbleed detection
  • Bug #978: clean up app layer parser thread local storage
  • Bug #1064: Lack of Thread Deinitialization For Decoder Modules
  • Bug #1101: Segmentation in AppLayerParserGetTxCnt
  • Bug #1136: negated app-layer-protocol FP on multi-TX flows
  • Bug #1141: dns response parsing issue
  • Bug #1142: dns tcp toclient protocol detection
  • Bug #1143: tls protocol detection in case of tls-alert
  • Bug #1144: icmpv6: unknown type events for MLD_* types
  • Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
  • Bug #1146: tls: event on ‘new session ticket’ in handshake
  • Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
  • Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
  • Bug #1161: eve: src and dst mixed up in some cases
  • Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
  • Bug #1163: HTP Segfault
  • Bug #1165: af_packet – one thread consistently not working
  • Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
  • Bug #1176: AF_PACKET IPS mode is broken in 2.0
  • Bug #1177: eve log do not show action ‘dropped’ just ‘allowed’
  • Bug #1180: Possible problem in stream tracking

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Jason Ish — Endace/Emulex
  • Tom Decanio — nPulse
  • Pierre Chifflier
  • Will Metcalf
  • Duarte Silva
  • Brad Roether
  • Christophe Vandeplas
  • Jason Jones
  • Jorgen Bohnsdalen
  • Fábio Depin
  • Gines Lopez
  • Ivan Ristic
  • Coverity

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.1rc1 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0.1rc1, the first (and hopefully only) release candidate for Suricata 2.0.1. This brings TLS Heartbleed detection and fixes a number of issues in the 2.0 release.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.1rc1.tar.gz

Notable changes

  • OpenSSL Heartbleed detection. Thanks to Pierre Chifflier and Will Metcalf
  • Fixed Unix Socket runmode
  • Fixed AF_PACKET IPS support

All closed tickets

  • Feature #1157: Always create pid file if –pidfile command line option is provided
  • Feature #1173: tls: OpenSSL heartbleed detection
  • Bug #978: clean up app layer parser thread local storage
  • Bug #1064: Lack of Thread Deinitialization For Decoder Modules
  • Bug #1101: Segmentation in AppLayerParserGetTxCnt
  • Bug #1136: negated app-layer-protocol FP on multi-TX flows
  • Bug #1141: dns response parsing issue
  • Bug #1142: dns tcp toclient protocol detection
  • Bug #1143: tls protocol detection in case of tls-alert
  • Bug #1144: icmpv6: unknown type events for MLD_* types
  • Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
  • Bug #1146: tls: event on ‘new session ticket’ in handshake
  • Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
  • Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
  • Bug #1161: eve: src and dst mixed up in some cases
  • Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
  • Bug #1163: HTP Segfault
  • Bug #1165: af_packet – one thread consistently not working
  • Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
  • Bug #1176: AF_PACKET IPS mode is broken in 2.0
  • Bug #1177: eve log do not show action ‘dropped’ just ‘allowed’
  • Bug #1180: Possible problem in stream tracking

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Jason Ish — Endace/Emulex
  • Tom Decanio — nPulse
  • Pierre Chifflier
  • Will Metcalf
  • Duarte Silva
  • Brad Roether
  • Christophe Vandeplas
  • Jason Jones
  • Jorgen Bohnsdalen
  • Fábio Depin
  • Gines Lopez
  • Ivan Ristic
  • Coverity

Known issues & missing features

This is a “release candidate”-quality release so the stability should be good although unexpected corner cases might happen. If you encounter one, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Eric Leblond speaking about Suricata 2.0 at HES

200xNxEric_Leblond-199x300Suricata developer Eric Leblond will present Suricata and the new features available in the 2.0 version at Hackito Ergo Sum, a security conference which take place in Paris, France. Entitled “Suricata 2.0, Netfilter and the PRC”, the talk will focus on features such as the new full JSON output or TLS protocol handling. The talk is scheduled at 10:30am April 26th. More information: http://2014.hackitoergosum.org/speakers/#leblond

Suricata Ubuntu PPA updated to 2.0

We have updated the official Ubuntu PPA to Suricata 2.0. To use this PPA read our docs here.

To install Suricata through this PPA, enter:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata

If you’re already using this PPA, updating is as simple as:
sudo apt-get update && sudo apt-get upgrade

The PPA Ubuntu packages have IPS mode through NFQUEUE enabled.