Archive by Author | inliniac

Suricata 4.1 released!

After a longer than intended release development cycle, the OISF development team is proud to present Suricata 4.1.

Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2. All of them have been implemented in Rust to ensure their introduction will not be compromising to the security and the stability of the complete system.

Support for tracking and logging TLS 1.3 has been added, including JA3 support.

On performance side, one of the main improvements is the availability of capture bypass for AF_PACKET implemented on top of the new eXpress Data Path (XDP) capability of Linux kernel. Windows users will benefit from the 4.1 release with a new IPS mode based on WinDivert.

All new protocols require Rust so Suricata 4.1 is not really 4.1 if you don’t have Rust. This is why the build system is now enabling Rust by default if it is available on the build machine.

This is the first release where Suricata-Update 1.0, the new Suricata rule updater, is bundled.

Protocol updates

  • SMBv1/2/3 parsing, logging, file extraction
  • TLS 1.3 parsing and logging (Mats Klepsland)
  • JA3 TLS client fingerprinting (Mats Klepsland)
  • TFTP: basic logging (Pascal Delalande and Clément Galland)
  • FTP: file extraction
  • Kerberos parser and logger (Pierre Chifflier)
  • IKEv2 parser and logger (Pierre Chifflier)
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • HTTP: handle sessions that only have a response, or start with a response
  • HTTP Flash file decompression support (Giuseppe Longo)

Output and logging

  • File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
  • Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
  • Eve: new more compact DNS record format (Giuseppe Longo)
  • Pcap directory mode: process all pcaps in a directory (Danny Browning)
  • Compressed PCAP logging (Max Fillinger)
  • Expanded XFF support (Maurizio Abba)
  • Community Flow Id support (common ID between Suricata and Bro/Zeek)

Packet Capture

  • AF_PACKET XDP and eBPF support for high speed packet capture
  • Windows IPS: WinDivert support (Jacob Masen-Smith)
  • PF_RING: usability improvements

Misc

  • Windows: MinGW is now supported
  • Detect: transformation keyword support
  • Bundled Suricata-Update
  • Per device multi-tenancy

Minor Changes since 4.1rc2

  • Coverity fixes and annotations
  • Update Suricata-Update to 1.0.0

Security

  • SMTP crash issue was fixed: CVE-2018-18956
  • Robustness of defrag against FragmentSmack was improved
  • Robustness of TCP reassembly against SegmentSmack was improved

Download

https://www.openinfosecfoundation.org/download/suricata-4.1.0.tar.gz

Get paid to work on Suricata!

Enjoying the testing? Or want to help out with other parts of the project?
We are looking for people, so reach out to us if you’re interested.

Special thanks

Mats Klepsland, Pierre Chifflier, Giuseppe Longo, Ralph Broenink, Danny Browning, Maurizio Abba, Pascal Delalande, Wolfgang Hotwagner, Jason Taylor, Jesper Dangaard Brouer, Alexander Gozman, Konstantin Klinger, Max Fillinger, Antoine LUONG, David DIALLO, Jacob Masen-Smith, Martin Natano, Ruslan Usmanov, Alfredo Cardigliano, Antti Tönkyrä, Brandon Sterne, Chris Speidel, Clément Galland, Dana Helwig, Daniel Humphries, Elazar Broad, Gaurav Singh, Hilko Bengen, Nick Price, Philippe Antoine, Renato Botelho, Thomas Andrejak, Paulo Pacheco, Henning Perl, Kirill Shipulin, Christian Kreibich, Tilli Juha-Matti.

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

The 2019 calendar of trainings will be out soon – check back here or follow us on Twitter (@OISFoundation) for all training announcements.

Suricon 2018

Suricon 2018 Vancouver is next week and it’s still possible to join! https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.0.6 available!

suri-400x400

We are pleased to announce Suricata 4.0.6.  This is a security update fixing a SMTP crash issue, as well as a fair number of regular issues.

Security

SMTP crash issue was fixed: CVE-2018-18956

Changes

  • Bug #2568: negated fileext and filename do not work as expected (4.0.x)
  • Bug #2576: filemd5 is not fired in some cases when there are invalid packets
  • Bug #2607: File descriptor leak in af-packet mode (4.0.x)
  • Bug #2634: Improve errors handling in AF_PACKET (4.0.x)
  • Bug #2658: smtp segmentation fault (4.0.x)
  • Bug #2664: libhtp 0.5.28 (4.0.x)
  • Support #2512: http events – Weird unicode characters and truncation in some of http_method/http_user_agent fields
  • Support #2546: Suricata 4.0.x blocking issues

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.6.tar.gz

Special thanks

Maurizio Abba, Sean Cloherty

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

The 2019 calendar of trainings will be out soon – check back here or follow us on Twitter (@OISFoundation) for all training announcements

Suricon 2018

Suricon 2018 Vancouver is next week and it’s still possible to join! https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Call for testing: Suricata 4.1rc2 released

Suricata 4.1rc2 is ready for testing. We’re hoping that this will be the final release candidate so that 4.1 can be released just before Suricon next month.

Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos,FTP, DHCP, IKEv2, as well as improvements on Linux capture side via AF_PACKET XDP support and on Windows IPS side via WinDivert. The growth of Rust usage inside Suricata continues as most of the new protocols have been implemented in Rust.

Most important change for going from RC1 to RC2 is that we have enabled Rust support by default. If Rust is installed, it will be used.

Protocol updates

  • SMBv1/2/3 parsing, logging, file extraction
  • TLS 1.3 parsing and logging (Mats Klepsland)
  • JA3 TLS client fingerprinting (Mats Klepsland)
  • TFTP: basic logging (Pascal Delalande and Clément Galland)
  • FTP: file extraction
  • Kerberos parser and logger (Pierre Chifflier)
  • IKEv2 parser and logger (Pierre Chifflier)
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • HTTP: handle sessions that only have a response, or start with a response
  • HTTP Flash file decompression support (Giuseppe Longo)

Output and logging

  • File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
  • Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
  • Eve: new more compact DNS record format (Giuseppe Longo)
  • Pcap directory mode: process all pcaps in a directory (Danny Browning)
  • Compressed PCAP logging (Max Fillinger)
  • Expanded XFF support (Maurizio Abba)
  • Community Flow Id support (common ID between Suricata and Bro/Zeek)

Packet Capture

  • AF_PACKET XDP and eBPF support for high speed packet capture
  • Windows IPS: WinDivert support (Jacob Masen-Smith)

Misc

  • Windows: MinGW is now supported
  • Detect: transformation keyword support
  • Bundled Suricata-Update
  • Per device multi-tenancy

Major changes since 4.1rc1

  • Rust support is enabled by default
  • Community Flow Id support (common ID between Suricata and Bro/Zeek)
  • Updates and fixes for dealing with SegmentSmack/FragmentSmack
  • Update Suricata-Update to 1.0.0rc2

Get paid to work on Suricata!

Enjoying the testing? Or want to help out with other parts of the project?
We are looking for people, so reach out to us if you’re interested.

Special thanks

Mats Klepsland, Jason Taylor, Maurizio Abba, Konstantin Klinger, Giuseppe Longo, Danny Browning, Hilko Bengen, Jacob Masen-Smith, Pascal Delalande, Travis Green, Christian Kreibich

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

SuriCon

SuriCon 2018 Vancouver next month, you can still join! https://suricon.net/agenda-vancouver/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Call for testing: Suricata 4.1rc1 released

It’s summer, so an excellent time for some testing! Suricata 4.1 release candidate 1 is here to be tried out. The release brings a lot of new features.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.0-rc1.tar.gz

Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2, as well as improvements on Linux capture side via AF_PACKET XDP support and on Windows IPS side via WinDivert. The progress in Rust usage inside Suricata continues as most of the new protocols have been implemented in Rust.

We invite everyone to test this release and report your experiences to us.

Protocol updates

  • SMBv1/2/3 parsing, logging, file extraction
  • JA3 TLS client fingerprinting (Mats Klepsland)
  • TFTP: basic logging (Pascal Delalande and Clément Galland)
  • FTP: file extraction
  • Kerberos parser and logger (Pierre Chifflier)
  • IKEv2 parser and logger (Pierre Chifflier)
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • HTTP: handle sessions that only have a response, or start with a response
  • HTTP Flash file decompression support (Giuseppe Longo)

Output and logging

  • File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
  • Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
  • Eve: new more compact DNS record format (Giuseppe Longo)
  • Pcap directory mode: process all pcaps in a directory (Danny Browning)
  • Compressed PCAP logging (Max Fillinger)
  • Expanded XFF support (Maurizio Abba)

Packet Capture

  • AF_PACKET XDP and eBPF support for high speed packet capture
  • Windows IPS: WinDivert support (Jacob Masen-Smith)

Misc

  • Windows: MinGW is now supported
  • Detect: transformation keyword support
  • Bundled Suricata-Update

Major changes since 4.1beta1

  • WinDivert support
  • Kerberos parser and logger
  • IKEv2 parser and logger
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • Compressed PCAP logging
  • Expanded XFF support
  • Decode GRE over IP (Paulo Pacheco)
  • Multi-tenancy fixes
  • SMB improvements for midstream pickup
  • Update Suricata-Update to 1.0.0rc1

Security

CVE-2018-10242, CVE-2018-10244 (suricata)
CVE-2018-10243 (libhtp)

Get paid to work on Suricata!

Enjoying the testing? Or want to help out with other parts of the project?
We are looking for people, so reach out to us if you’re interested.

Special thanks

Henning Perl, Kirill Shipulin, Pierre Chifflier, Mats Klepsland, Max Fillinger, Alexander Gozman, Danny Browning, Giuseppe Longo, Maurizio Abba, Pascal Delalande, Chris Speidel, Elazar Broad, Jacob Masen-Smith, Renato Botelho, Paulo Pacheco, Jason Taylor

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

SuriCon

SuriCon 2018 Vancouver agenda is up! https://suricon.net/agenda-vancouver/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 4.0.5 available!

suri-400x400

We are pleased to announce Suricata 4.0.5.  This is a security update fixing a number of security issues, as well as a fair number of regular issues.

Security

CVE-2018-10242, CVE-2018-10244 (suricata)
CVE-2018-10243 (libhtp)

Changes

  • Bug #2480: http eve log data source/dest flip (4.0.x)
  • Bug #2482: HTTP connect: difference in detection rates between 3.1 and 4.0.x
  • Bug #2531: yaml: ConfYamlHandleInclude memleak (4.0.x)
  • Bug #2532: memleak: when using app-layer event rules without rust
  • Bug #2533: Suricata gzip unpacker bypass (4.0.x)
  • Bug #2534: Suricata stops inspecting TCP stream if a TCP RST was met (4.0.x)
  • Bug #2535: Messages with SC_LOG_CONFIG level are logged to syslog with EMERG priority (4.0.x)
  • Bug #2537: libhtp 0.5.27 (4.0.x)
  • Bug #2540: getrandom prevents any suricata start commands on more later OS’s (4.0.x)
  • Bug #2544: ssh out of bounds read (4.0.x)
  • Bug #2545: enip out of bounds read (4.0.x)

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz

Special thanks

Henning Perl, Kirill Shipulin, Alexander Gozman, Elazar Broad, Pierre Chifflier, Maurizio Abba, Renato Botelho

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

SuriCon 2018

SuriCon 2018 Vancouver agenda is up! https://suricon.net/agenda-vancouver/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Announcing the Suricata Community Council

One of the most valuable moments in the Suricata development process is the annual SuriCon brainstorm. This interaction between the team and community gives the development team a lot of input for the next year.

We hope to create similar conditions more frequently. Therefore, we would like to introduce the new Suricata Community Council – an open and two-way communication channel between the Suricata community and the development team.

The council members will:

  • Provide technical advice and feedback to the development team for major releases;
  • Report on the general state of the Suricata community;
  • Participate in quarterly calls;
  • Join us at SuriCon annually.

We will have quarterly calls as well as convene in-person at SuriCon. To avoid scaling issues, we’re limiting the group’s size and have invited some contributors and other community members to join. Also, the companies at the Platinum and Gold levels of the OISF consortium will each get a representative in the council as well.

As the council comes together we will be updating the Suricata website with bios and more information. In addition, the council will post meeting minutes and updates on https://suricata-ids.org/ and the oisf mailing lists.

For questions about this exciting new community council or becoming a member of the OISF consortium, please contact us at info@oisf.net.

Suricata 4.1 beta 1 ready for testing

We are proud to announce that the first beta release for the upcoming Suricata 4.1 is ready for testing. This release is brought to you by the OISF development team with the help 25 community contributors.

Download:
https://www.openinfosecfoundation.org/download/suricata-4.1.0-beta1.tar.gz

We invite everyone to test this release and report your experiences to us.

Main features additions

  • SMBv1/2/3 parsing, logging, file extraction
  • AF_PACKET XDP and eBPF support for high speed packet capture
  • JA3 TLS client fingerprinting
  • HTTP: handle sessions that only have a response, or start with a response
  • Windows: MinGW is now supported
  • File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
  • Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
  • Pcap directory mode: process all pcaps in a directory
  • Detect: transformation support
  • Eve: new more compact DNS record format
  • TFTP: basic logging
  • HTTP Flash file decompression support
  • All tickets: https://redmine.openinfosecfoundation.org/versions/105

Special thanks

Giuseppe Longo, Mats Klepsland, Pierre Chifflier, Ralph Broenink, Wolfgang Hotwagner, Danny Browning, Pascal Delalande, Jesper Dangaard Brouer, Maurizio Abba, Alexander Gozman, Antoine LUONG, David DIALLO, Martin Natano, Ruslan Usmanov, Alfredo Cardigliano, Antti Tönkyrä, Brandon Sterne, Clément Galland, Dana Helwig, Daniel Humphries, Gaurav Singh, Nick Price, Philippe Antoine, Thomas Andrejak, Jason Taylor

SuriCon 2018

Come meet the Suricata community and development team to discuss all things Suricata at the fourth edition of the annual Suricata Conference. SuriCon 2018 will be held in November in Vancouver, Canada: https://suricon.net

Our call for presentations is still open, so please submit your ideas!

Also, we’re still looking for sponsors for the event.

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 4.0.4 available!

suri-400x400

We are pleased to announce Suricata 4.0.4.  This is a security update fixing a number of security issues, as well as a fair number of regular issues.

Security

CVE-2018-6794 was requested for issue #2440

Changes

  • Bug #2306: suricata 4 deadlocks during failed output log reopening
  • Bug #2361: rule reload hangup
  • Bug #2389: BUG_ON asserts in AppLayerIncFlowCounter (4.0.x)
  • Bug #2392: libhtp 0.5.26 (4.0.x)
  • Bug #2422: [4.0.3] af_packet: a leak that (possibly) breaks an inline channel
  • Bug #2438: various config parsing issues
  • Bug #2439: Fix timestamp offline when pcap timestamp is zero (4.0.x)
  • Bug #2440: stream engine bypass issue (4.0.x)
  • Bug #2441: der parser: bad input consumes cpu and memory (4.0.x)
  • Bug #2443: DNP3 memcpy buffer overflow (4.0.x)
  • Bug #2444: rust/dns: Core Dump with malformed traffic (4.0.x)
  • Bug #2445: http bodies / file_data: thread space creation writing out of bounds

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.4.tar.gz

Special thanks

Wolfgang Hotwagner, Kirill Shipulin, Pierre Chifflier, Alexander Gozman, Martin Natano, Maurizio Abba, Nick Price, Philippe Antoine, AFL

SuriCon 2018

Call for presentations is open and tickets for SuriCon 2018 are available: https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 4.0.3 available!

suri-400x400

We are pleased to announce Suricata 4.0.3.  This is regular bug fix release fixing various issues.

Note: this release was first released as 4.0.2, but due to a packaging mistake it contained the wrong branch.

Changes

  • Feature #2245: decoder for ieee802.1AH traffic
  • Bug #798: stats.log in yaml config – append option – missing
  • Bug #891: detect-engine.profile does not err out in incorrect values – suricata.yaml
  • Bug #961: max pending packets variable parsing
  • Bug #1185: napatech: cppcheck warning
  • Bug #2215: Lost events writing to unix socket
  • Bug #2230: valgrind memcheck – 4.0.0-dev (rev 1180687)
  • Bug #2250: detect: mixing byte_extract and isdataat leads to FP & FN
  • Bug #2263: content matches disregarded when using dns_query on udp traffic
  • Bug #2274: ParseSizeString in util-misc.c: Null-pointer dereference
  • Bug #2275: ConfGetInt in conf.c: NULL-pointer dereference
  • Bug #2276: conf: NULL-pointer dereference in CoredumpLoadConfig
  • Bug #2293: rules: depth < content rules not rejected
  • Bug #2324: segfault in http_start (4.0.x)
  • Bug #2325: Suricata segfaults on ICMP and flowint check (4.0.x)

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.3.tar.gz

Special thanks

Danny Browning, Harley H, Travis Green, Wolfgang Hotwagner, Edward Fjellskål

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.2.5 available!

suri-400x400

We are pleased to announce Suricata 3.2.5. This release fixes a number of issues.

This will be the last 3.2 release, as 3.2 will go ‘end of life’ later this month.

Changes

  • Bug #2328: detect: mixing byte_extract and isdataat leads to FP & FN (3.2.x)
  • Bug #2329: various config parsing issues
  • Bug #2330: rules: depth < content rules not rejected (3.2.x)
  • Bug #2331: Suricata segfaults on ICMP and flowint check (3.2.x)

Download

https://www.openinfosecfoundation.org/download/suricata-3.2.5.tar.gz

End of life announcement

The 3.2 branch will be end-of-life in 2 months, so on December 18. After this it will receive no more updates of any kind, so please plan for your upgrade to Suricata 4.0+ before that date.

https://suricata-ids.org/about/eol-policy/

Special thanks

Wolfgang Hotwagner, Harley H, Edward Fjellskål

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.