Archive | news RSS for this section

Call for testing: announcing Suricata 5.0.0-beta1

We’re happy to present the first beta in the upcoming Suricata 5.0 series. In 5.0 we’re making a couple of large changes.

Rust

The most visible is that our Rust support is no longer optional. We’re convinced that Rust is a perfect match for Suricata, and we plan to increase its footprint in our code base steadily. By making it mandatory we’re able to remove parallel implementations and focus fully on making the Rust code better.

Protocol Detection

The protocol detection engine has been extended to provide better accuracy as well as support for dealing with asynchronous flows. These async flows are sometimes picked up in the wrong direction and the protocol detection engine can now reverse them.

Decoder Anomaly records in EVE

A new log record type has been added: ‘anomaly’. This logs the stream and decoder events that are set by the packet decoders. This is inspired by Zeeks (Bro) ‘weird’ log.

EVE improvements

VLAN and capture interface is now part of many more EVE records, even if they are flow records or records based on flow time out.

An option to log all HTTP headers to the EVE http records has been added.

Packet Capture

Netmap support has been rewritten so the more advanced features of netmap, such as vale switches, can be used now.

Napatech usability has been improved.

Rule language: Sticky Buffers (in progress)

As discussed at the Suricon 2018 brainstorm session, a new rule keyword scheme is being introduced. It takes the existing ‘sticky buffer’ approach with new keyword names to avoid confusion. The new scheme is <proto>.<buffer>, so for example ‘http.uri’ for the URI inspection.

A number of HTTP keywords have been added.

Unified Lua inspection mixed with the sticky buffers has also been implemented.

Python 3

With Python 2’s EOL approaching, we’ve made sure that all Suricata’s python code is Python 3 compliant.

Removals

Following our deprecation policy, we have removed the following parts: the plain text dns.log, the old files-json.log and support for the Tilera architecture.

https://suricata-ids.org/about/deprecation-policy/

Many more things

https://redmine.openinfosecfoundation.org/versions/115

Time line

We’re planning the first release candidate in about a month, with the final about a month later. So early July.

Get involved

If you’re interested in helping out, we’d be happy to accept patches, documentation, test reports and other kind of feedback.

Download from:

https://www.openinfosecfoundation.org/downloads/suricata-5.0.0-beta1.tar.gz

Suricata 4.1.4 released

We’re pleased to announce Suricata 4.1.4. This release fixes a number of issues found in the 4.1 branch.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.4.tar.gz

Changes

  • Bug #2870: pcap logging with lz4 coverity warning
  • Bug #2883: ssh: heap buffer overflow
  • Bug #2884: mpls: heapbuffer overflow in file decode-mpls.c
  • Bug #2887: decode-ethernet: heapbuffer overflow in file decode-ethernet.c
  • Bug #2888: 4.1.3 core in HCBDCreateSpace
  • Bug #2894: smb 1 create andx request does not parse the filename correctly
  • Bug #2902: rust/dhcp: panic in dhcp parser
  • Bug #2903: mpls: cast of misaligned data leads to undefined behavior
  • Bug #2904: rust/ftp: panic in ftp parser
  • Bug #2943: rust/nfs: integer underflow
  • This release includes Suricata-Update 1.0.5

Special thanks

Alexander Bluhm, Giuseppe Longo, Max Fillinger, Wesley van der Ree, Jason Taylor
Sirko Höer — Code Intelligence GmbH, DCSO.

Trainings

See https://suricata_events.eventbrite.com/ for the current list of planned training sessions.

Suricon

The CFP for Suricon 2019 is open! Submit your talk proposal at: https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.3 released

We’re pleased to announce Suricata 4.1.3. This release fixes a number of issues found in the 4.1-series.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.3.tar.gz

Changes

  • Bug #2225: when stats info dumping in redis,the decoder.ipv4.trunc_pkt can’t output.In the same time, in the stats.log this can output
  • Bug #2362: rule reload with workers mode and NFQUEUE not working stable
  • Bug #2761: Include ebpf files in distributed sources
  • Bug #2762: SSLv3 – AddressSanitizer heap-buffer-overflow
  • Bug #2770: TCP FIN/ACK, RST/ACK in HTTP – detection bypass
  • Bug #2788: afpacket doesn’t wait for all capture threads to start
  • Bug #2805: dns v1/2 with rust results in less app layer data available in the alert record (for dns related alerts/rules) (4.1.x)
  • Bug #2811: netmap/afpacket IPS: stream.inline: auto broken
  • Bug #2823: configure.ac: broken –{enable,disable}-xxx options (4.1.x)
  • Bug #2842: IPS mode crash under load
  • Bug #2855: Suricata does not bridge host <-> hw rings (Affects FreeBSD 11-STABLE, FreeBSD 12 and FreeBSD 13-CURRENT)
  • Bug #2862: pcre related FP in HTTP inspection (4.1.x)
  • Bug #2865: Suricata rule sid:2224005 SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) not works (4.1.x)
  • Feature #2774: pcap multi dev support for Windows

Special thanks

Edwin van Vliet, Mats Klepsland, Pierre Chifflier, Alexander Gozman, Fabrice Fontaine, Jingyu Yang, Murat Balaban, Pascal Delalande

Trainings

2019 Training Calendar has been posted. There are still seats available for next weeks Advanced Deployment and Threat Hunting training in Washington, D.C. See https://suricata-ids.org/training/

Suricon

Suricon 2018 was a great success and the 2019 location has been announced: Amsterdam. Please consider becoming a sponsor! https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.0.7 available!

We’re pleased to announce Suricata 4.0.7.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.0.7.tar.gz

EOL announcement

The Suricata 4.0.x branch will go end of life in 2 months, after which it will no longer be updated. If you are still on 4.0.x, it’s recommended that you start planning the upgrade to 4.1.x.

Changes

  • Bug #2714: Failed Assertion, Suricata Abort – util-mpm-hs.c line 163
  • Bug #2735: unix runmode deadlock when using too many threads (4.0.x)
  • Bug #2794: Python 3 unicode issue in Rust C header generator on FreeBSD
  • Bug #2824: rule reload with workers mode and NFQUEUE not working stable (4.0.x)
  • Bug #2825: TCP FIN/ACK, RST/ACK in HTTP – detection bypass (4.0.x)
  • Bug #2826: afpacket doesn’t wait for all capture threads to start (4.0.x)
  • Bug #2827: DNS Golden Transaction ID – detection bypass (4.0.x)
  • Bug #2828: Invalid detect-engine config could lead to segfault (4.0.x)
  • Bug #2830: suricata.c ConfigGetCaptureValue – PCAP/AFP fallthrough to strip_trailing_plus (4.0.x)
  • Bug #2831: Stats interval are 1 second too early each tick (4.0.x)
  • Bug #2832: rust/dns/lua – The Lua calls for DNS values when using Rust don’t behave the same as the C implementation. (4.0.x)
  • Bug #2863: out of bounds read in detection
  • Feature #2829: smtp: improve pipelining support (4.0.x)

Special thanks

Philippe Antoine, Alexander Gozman, Fabrice Fontaine, Murat Balaban

Trainings

The 2019 Training Calendar has been posted. There are still seats available for next weeks Advanced Deployment and Threat Hunting training in Washington, D.C. See https://suricata-ids.org/training/

SuriCon

Suricon 2018 was a great success and the 2019 location and dates have been announced: October 30 – November 1, 2019 in Amsterdam. Please consider becoming a sponsor! https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.2 released

Much sooner than planned we are releasing 4.1.2. The 4.1.1 process didn’t go as planned. First the tarball was missing the vendored Rust crates. Then we found that Suricata-Update didn’t properly function on CentOS 7, Ubunut 14.04 and other slightly older distros. Then last minute we found yet another Suricata-Update bug.

So despite it being so close to the holidays for many, we decided to push 4.1.2 out already. Apologies for the inconvenience this may cause.

Other than the issues mention above, we did also fix some additional issues. SMB logging accuracy was improved, DNS detection and logging accuracy was improved and some documentation updates are included as well.

After the holidays are over we’re going to review our QA for both Suricata and Suricata-Update, so we can avoid issue like this in the future.

Changes

  • Feature #1863: smtp: improve pipelining support
  • Feature #2748: bundle libhtp 0.5.29
  • Feature #2749: bundle suricata-update 1.0.3
  • Bug #2682: python-yaml Not Listed As Ubuntu Prerequisite
  • Bug #2736: DNS Golden Transaction ID – detection bypass
  • Bug #2745: Invalid detect-engine config could lead to segfault
  • Bug #2752: smb: logs for IOCTL and DCERPC have tree_id value of 0

Special thanks

Philippe Antoine, Alexey Vishnyakov

Download

https://www.openinfosecfoundation.org/downloads/suricata-4.1.2.tar.gz

Suricata 4.1.1 available!

suri-400x400

We are pleased to announce Suricata 4.1.1. This release fixes a number of issues found 4.1. It also adds EVE DNSv1 support for Rust builds.

Changes

  • Feature #2637: af-packet: improve error output for BPF loading failure
  • Feature #2671: Add Log level to suricata.log when using JSON type
  • Bug #2502: suricata.c ConfigGetCaptureValue – PCAP/AFP fallthrough to strip_trailing_plus
  • Bug #2528: krb parser not always parsing tgs responses
  • Bug #2633: Improve errors handling in AF_PACKET
  • Bug #2653: llc detection failure in configure.ac
  • Bug #2677: coverity: ja3 potential memory leak
  • Bug #2679: build with profiling enabled on generates compile warnings
  • Bug #2704: DNSv1 for Rust enabled builds.
  • Bug #2705: configure: Test for PyYAML and disable suricata-update if not installed.
  • Bug #2716: Stats interval are 1 second too early each tick
  • Bug #2717: nfs related panic in 4.1
  • Bug #2719: Failed Assertion, Suricata Abort – util-mpm-hs.c line 163 (4.1.x)
  • Bug #2723: dns v2 json output should always set top-level rrtype in responses
  • Bug #2730: rust/dns/lua – The Lua calls for DNS values when using Rust don’t behave the same as the C implementation.
  • Bug #2731: multiple instances of transaction loggers are broken
  • Bug #2734: unix runmode deadlock when using too many threads
  • Bundled Suricata-Update was updated to 1.0.1

Download

https://www.openinfosecfoundation.org/download/suricata-4.1.1.tar.gz

Special thanks

Jason Taylor, Eric Urban, Mats Klepsland, Pierre Chifflier

Trainings

The 2019 calendar of trainings will be out soon – check back here or follow us on Twitter (@OISFoundation) for all training announcements

Suricon

Suricon 2018 was a great success and the 2019 location has been announced: Amsterdam. Please consider becoming a sponsor! https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1 released!

After a longer than intended release development cycle, the OISF development team is proud to present Suricata 4.1.

Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2. All of them have been implemented in Rust to ensure their introduction will not be compromising to the security and the stability of the complete system.

Support for tracking and logging TLS 1.3 has been added, including JA3 support.

On performance side, one of the main improvements is the availability of capture bypass for AF_PACKET implemented on top of the new eXpress Data Path (XDP) capability of Linux kernel. Windows users will benefit from the 4.1 release with a new IPS mode based on WinDivert.

All new protocols require Rust so Suricata 4.1 is not really 4.1 if you don’t have Rust. This is why the build system is now enabling Rust by default if it is available on the build machine.

This is the first release where Suricata-Update 1.0, the new Suricata rule updater, is bundled.

Protocol updates

  • SMBv1/2/3 parsing, logging, file extraction
  • TLS 1.3 parsing and logging (Mats Klepsland)
  • JA3 TLS client fingerprinting (Mats Klepsland)
  • TFTP: basic logging (Pascal Delalande and Clément Galland)
  • FTP: file extraction
  • Kerberos parser and logger (Pierre Chifflier)
  • IKEv2 parser and logger (Pierre Chifflier)
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • HTTP: handle sessions that only have a response, or start with a response
  • HTTP Flash file decompression support (Giuseppe Longo)

Output and logging

  • File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
  • Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
  • Eve: new more compact DNS record format (Giuseppe Longo)
  • Pcap directory mode: process all pcaps in a directory (Danny Browning)
  • Compressed PCAP logging (Max Fillinger)
  • Expanded XFF support (Maurizio Abba)
  • Community Flow Id support (common ID between Suricata and Bro/Zeek)

Packet Capture

  • AF_PACKET XDP and eBPF support for high speed packet capture
  • Windows IPS: WinDivert support (Jacob Masen-Smith)
  • PF_RING: usability improvements

Misc

  • Windows: MinGW is now supported
  • Detect: transformation keyword support
  • Bundled Suricata-Update
  • Per device multi-tenancy

Minor Changes since 4.1rc2

  • Coverity fixes and annotations
  • Update Suricata-Update to 1.0.0

Security

  • SMTP crash issue was fixed: CVE-2018-18956
  • Robustness of defrag against FragmentSmack was improved
  • Robustness of TCP reassembly against SegmentSmack was improved

Download

https://www.openinfosecfoundation.org/download/suricata-4.1.0.tar.gz

Get paid to work on Suricata!

Enjoying the testing? Or want to help out with other parts of the project?
We are looking for people, so reach out to us if you’re interested.

Special thanks

Mats Klepsland, Pierre Chifflier, Giuseppe Longo, Ralph Broenink, Danny Browning, Maurizio Abba, Pascal Delalande, Wolfgang Hotwagner, Jason Taylor, Jesper Dangaard Brouer, Alexander Gozman, Konstantin Klinger, Max Fillinger, Antoine LUONG, David DIALLO, Jacob Masen-Smith, Martin Natano, Ruslan Usmanov, Alfredo Cardigliano, Antti Tönkyrä, Brandon Sterne, Chris Speidel, Clément Galland, Dana Helwig, Daniel Humphries, Elazar Broad, Gaurav Singh, Hilko Bengen, Nick Price, Philippe Antoine, Renato Botelho, Thomas Andrejak, Paulo Pacheco, Henning Perl, Kirill Shipulin, Christian Kreibich, Tilli Juha-Matti.

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

The 2019 calendar of trainings will be out soon – check back here or follow us on Twitter (@OISFoundation) for all training announcements.

Suricon 2018

Suricon 2018 Vancouver is next week and it’s still possible to join! https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.0.6 available!

suri-400x400

We are pleased to announce Suricata 4.0.6.  This is a security update fixing a SMTP crash issue, as well as a fair number of regular issues.

Security

SMTP crash issue was fixed: CVE-2018-18956

Changes

  • Bug #2568: negated fileext and filename do not work as expected (4.0.x)
  • Bug #2576: filemd5 is not fired in some cases when there are invalid packets
  • Bug #2607: File descriptor leak in af-packet mode (4.0.x)
  • Bug #2634: Improve errors handling in AF_PACKET (4.0.x)
  • Bug #2658: smtp segmentation fault (4.0.x)
  • Bug #2664: libhtp 0.5.28 (4.0.x)
  • Support #2512: http events – Weird unicode characters and truncation in some of http_method/http_user_agent fields
  • Support #2546: Suricata 4.0.x blocking issues

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.6.tar.gz

Special thanks

Maurizio Abba, Sean Cloherty

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

The 2019 calendar of trainings will be out soon – check back here or follow us on Twitter (@OISFoundation) for all training announcements

Suricon 2018

Suricon 2018 Vancouver is next week and it’s still possible to join! https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Call for testing: Suricata 4.1rc2 released

Suricata 4.1rc2 is ready for testing. We’re hoping that this will be the final release candidate so that 4.1 can be released just before Suricon next month.

Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos,FTP, DHCP, IKEv2, as well as improvements on Linux capture side via AF_PACKET XDP support and on Windows IPS side via WinDivert. The growth of Rust usage inside Suricata continues as most of the new protocols have been implemented in Rust.

Most important change for going from RC1 to RC2 is that we have enabled Rust support by default. If Rust is installed, it will be used.

Protocol updates

  • SMBv1/2/3 parsing, logging, file extraction
  • TLS 1.3 parsing and logging (Mats Klepsland)
  • JA3 TLS client fingerprinting (Mats Klepsland)
  • TFTP: basic logging (Pascal Delalande and Clément Galland)
  • FTP: file extraction
  • Kerberos parser and logger (Pierre Chifflier)
  • IKEv2 parser and logger (Pierre Chifflier)
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • HTTP: handle sessions that only have a response, or start with a response
  • HTTP Flash file decompression support (Giuseppe Longo)

Output and logging

  • File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
  • Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
  • Eve: new more compact DNS record format (Giuseppe Longo)
  • Pcap directory mode: process all pcaps in a directory (Danny Browning)
  • Compressed PCAP logging (Max Fillinger)
  • Expanded XFF support (Maurizio Abba)
  • Community Flow Id support (common ID between Suricata and Bro/Zeek)

Packet Capture

  • AF_PACKET XDP and eBPF support for high speed packet capture
  • Windows IPS: WinDivert support (Jacob Masen-Smith)

Misc

  • Windows: MinGW is now supported
  • Detect: transformation keyword support
  • Bundled Suricata-Update
  • Per device multi-tenancy

Major changes since 4.1rc1

  • Rust support is enabled by default
  • Community Flow Id support (common ID between Suricata and Bro/Zeek)
  • Updates and fixes for dealing with SegmentSmack/FragmentSmack
  • Update Suricata-Update to 1.0.0rc2

Get paid to work on Suricata!

Enjoying the testing? Or want to help out with other parts of the project?
We are looking for people, so reach out to us if you’re interested.

Special thanks

Mats Klepsland, Jason Taylor, Maurizio Abba, Konstantin Klinger, Giuseppe Longo, Danny Browning, Hilko Bengen, Jacob Masen-Smith, Pascal Delalande, Travis Green, Christian Kreibich

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

SuriCon

SuriCon 2018 Vancouver next month, you can still join! https://suricon.net/agenda-vancouver/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Call for testing: Suricata 4.1rc1 released

It’s summer, so an excellent time for some testing! Suricata 4.1 release candidate 1 is here to be tried out. The release brings a lot of new features.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.0-rc1.tar.gz

Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2, as well as improvements on Linux capture side via AF_PACKET XDP support and on Windows IPS side via WinDivert. The progress in Rust usage inside Suricata continues as most of the new protocols have been implemented in Rust.

We invite everyone to test this release and report your experiences to us.

Protocol updates

  • SMBv1/2/3 parsing, logging, file extraction
  • JA3 TLS client fingerprinting (Mats Klepsland)
  • TFTP: basic logging (Pascal Delalande and Clément Galland)
  • FTP: file extraction
  • Kerberos parser and logger (Pierre Chifflier)
  • IKEv2 parser and logger (Pierre Chifflier)
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • HTTP: handle sessions that only have a response, or start with a response
  • HTTP Flash file decompression support (Giuseppe Longo)

Output and logging

  • File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
  • Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
  • Eve: new more compact DNS record format (Giuseppe Longo)
  • Pcap directory mode: process all pcaps in a directory (Danny Browning)
  • Compressed PCAP logging (Max Fillinger)
  • Expanded XFF support (Maurizio Abba)

Packet Capture

  • AF_PACKET XDP and eBPF support for high speed packet capture
  • Windows IPS: WinDivert support (Jacob Masen-Smith)

Misc

  • Windows: MinGW is now supported
  • Detect: transformation keyword support
  • Bundled Suricata-Update

Major changes since 4.1beta1

  • WinDivert support
  • Kerberos parser and logger
  • IKEv2 parser and logger
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • Compressed PCAP logging
  • Expanded XFF support
  • Decode GRE over IP (Paulo Pacheco)
  • Multi-tenancy fixes
  • SMB improvements for midstream pickup
  • Update Suricata-Update to 1.0.0rc1

Security

CVE-2018-10242, CVE-2018-10244 (suricata)
CVE-2018-10243 (libhtp)

Get paid to work on Suricata!

Enjoying the testing? Or want to help out with other parts of the project?
We are looking for people, so reach out to us if you’re interested.

Special thanks

Henning Perl, Kirill Shipulin, Pierre Chifflier, Mats Klepsland, Max Fillinger, Alexander Gozman, Danny Browning, Giuseppe Longo, Maurizio Abba, Pascal Delalande, Chris Speidel, Elazar Broad, Jacob Masen-Smith, Renato Botelho, Paulo Pacheco, Jason Taylor

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

SuriCon

SuriCon 2018 Vancouver agenda is up! https://suricon.net/agenda-vancouver/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.