Archive | news RSS for this section

Suricata 4.1 EOL update: support extended

Just a quick note that we’re planning to keep the 4.1 branch supported until at least the end of the year. We understand that lots of organizations are going through various levels of disruption currently.

Normally we’d announce the EOL date for 4.1 right about now, but we understand that upgrades like this may not be a priority in your organization, or that the risk of causing service disruptions is considered too high in the current situation.

As the end of 2020 nears we’ll provide another update on our 4.1 plans.

5.0, our current stable branch, will naturally be supported as well.

Work on the upcoming 6.0 is progressing nicely. The Suricata Dev team is already a virtual team with most of us routinely working from home, so disruption for us has so far been minimal.

Stay healthy!

Suricata Hosting Two Training Sessions at SharkFest’20 US

Mark your calendars! This July, Suricata will be in Kansas City, MO at SharkFest’20 US, hosting two intense, 90 minute crash courses on intrusion analysis/threat hunting and signature development.

The first training, Practical Signature Development for Open Source IDS, focuses on expert methods and techniques for writing network signatures to efficiently hunt and detect the greatest and most common threats facing organizations today. In addition to Suricata, we’ll utilize leading open source security tools, specifically WireShark, to teach traffic analysis fundamentals, custom signature writing and how to test your signatures for accuracy and performance.

Suricata experts with real-world experience in customizing and tailoring the solution to identify and hunt threats will equip you with the ability to analyze and interpret hostile network traffic to create agile rules for detection and mitigation.

Attendees of the second session, Intrusion Analysis and Threat Hunting with Suricata, will learn how to dig deep into network traffic to uncover key evidence of a compromise has occurred, identify new forms of attack and develop the skills necessary to proactively search for Indicators of Compromise and evidence of new breaches. The course will also explore key phases of adversary tactics and techniques from delivery mechanisms to post-infection traffic and data exfiltration, offering a true hands-on analysis experience.

Join us at SharkFest’20 US and maximize your open-source capabilities with Suricata.

For more information on the conference, visit https://sharkfestus.wireshark.org/

Announcing forum.suricata.io

We’re happy to announce that for Suricata we’re going to trial a Discourse setup. Discourse is a “place for civilized discussion”. It is used by others in the open source community, such as Mozilla and the Rust Language project.

Join at https://forum.suricata.io/

Reasons for choosing Discourse

Easy to get started for users: the default forum style interface makes it easy to start interacting with the community. It also directly gives access to (participating in) discussions that predate the registration, something that is much harder in the current mailing lists. By enabling a number of ‘social logins’, signing up is also easy.

Trial goals

Goals of the trial are finding out how the community would use this platform, how we can manage it against various forms of unwanted activity and if we can see an uptick of users. Next to this we want to use the trial period to adjust settings, experiment with plugins and themes.

Trial steps

During the trial we will use the hosted version of Discourse, which is hosted by the developers of the platform. During the trial or at the end of the trial we’ll evaluate how well this worked for us. Discourse can also be self-hosted.

The trial will run until June 1st. Assuming the trial is successful, we will then start a transition phase where we will discourage the use of the old mailinglists. End of summer / early fall we’ll then disable them completely. We will keep the archives online of course.

Mailinglist

For people who dislike forums or in general dislike web based interfaces, Discourse offers a special ‘mailing list mode’. In this mode you can receive posts as emails, reply to them and start new topics as well. The mailinglist mode can be activated in the ‘preferences’ page of your account.

See https://forum.suricata.io/t/mailinglist-mode

Feedback

In the ‘Site Feedback’ category you can give feedback on the setup, predefined categories, moderation, etc. Please use this if you feel there are things that can be done to improve the usefulness of the platform.

See: https://forum.suricata.io/c/site-feedback/

Hope to see you at https://forum.suricata.io/

OISF/Suricata to Offer Intrusion Detection and Threat Hunting Training Course at Black Hat Asia

Due to concerns surrounding the COVID-19 virus, BlackHat Asia has rescheduled the conference to Sept 29 – Oct 2, 2020. We’re excited to announce that OISF will be at the Marina Bay Sands in Singapore this September/October for Black Hat Asia, with our experts hosting a four-day power training on Intrusion Detection and Threat Hunting with Open Source Tools.

Our goal with this training is to help attendees build a foundation for an effective threat hunting program, as well as provide ideas and strategies to help increase the efficiency of existing programs. When it comes to detecting threat actors and malware operations, you can’t leave stones unturned.

If you’re a beginner in the open source space looking to mature your skills, this comprehensive training is a can’t-miss. Join us on Sept 29 – Oct 2, 2020 at Black Hat Singapore and take your threat hunting capabilities to the next level. For more details on the session, check out the training page on Black Hat’s website – https://www.blackhat.com/asia-20/training/schedule/index.html#intrusion-analysis-and-threat-hunting-with-open-source-tools-18067

Early-bird pricing ends July 24th – we hope to see you in Singapore!

Trainers: Members of the OISF team

OISF/Suricata to Offer Intrusion Detection and Threat Hunting Training Course at Black Hat USA

We’re excited to announce that OISF will be at the Mandalay Bay in Las Vegas this August for Black Hat USA, with our experts hosting a four-day power training on Intrusion Detection and Threat Hunting with Open Source Tools.

Our goal with this training is to help attendees build a foundation for an effective threat hunting program, as well as provide ideas and strategies to help increase the efficiency of existing programs. When it comes to detecting threat actors and malware operations, you can’t leave stones unturned.

If you’re a beginner in the open source space looking to mature your skills, this comprehensive training is a can’t-miss. Join us on August 1-4 at Black Hat USA and take your threat hunting capabilities to the next level. For more details on the session, check out the training page on Black Hat’s website – https://www.blackhat.com/us-20/training/schedule/#intrusion-analysis-and-threat-hunting-with-open-source-tools-19091

This course will cover the fundamental aspects of Suricata such as rule comprehension, managing rule sets, validating alerts, working through false positives/negatives and customizing rules to provide more network traffic visibility. We’ll dive into an in-depth analysis of network traffic and the development of threat hunting strategies to detect anomalous or malicious activity with tools such as Moloch, Kibana and CyberChef. Additionally, we’ll have several hands-on, real-world exercises to reinforce the detection techniques and tactics explained throughout the course.

Early bird pricing for the training ends on May 22, so act fast!

BlackHat USA August 2020

Trainers: Members of the OISF team

Webinar – Enhancing Your Cuckoo Sandbox with Suricata: Installation and Configuration

The Cuckoo Sandbox has become one of the most popular open-source frameworks for the automation of malware analysis. One of the many benefits of Cuckoo is the ability to expand its capabilities through additional services and tools, such as Suricata. In this webinar, we will walk you through how to get Suricata up and running in a Cuckoo sandbox to get better network traffic analysis. This webinar will begin from a base installation of Cuckoo and show you how to install Suricata, configure Cuckoo to utilize Suricata as a post-processing module and how to update your initial rule set. We will also explore more advanced Suricata setup options to help with performance such as interacting through a unix socket. By the end of this workshop you will be able leverage Suricata’s IDS alerts to help with your malware analysis workflow.

Cuckoo network analysis enriched with Suricata IDS alerts

This is a free webinar but seats are limited. To sign-up, go to https://zoom.us/meeting/register/v5UtceihrzosujnYxCGEhLRCbNdofG2nzQ

Presented by: Josh Stroschein

Suricata 5.0.2 released

We’re pleased to announce Suricata 5.0.2. This release fixes a number of issues found in the 5.0 branch.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-5.0.2.tar.gz

Changes

  • Bug #2993: Suricata 5.0.0beta1 memory allocation of 4294966034 bytes failed
  • Bug #3380: Segfault when using multi-detect
  • Bug #3400: smb: post-GAP file tx handling
  • Bug #3424: nfs: post-GAP some transactions never close
  • Bug #3425: nfs: post-GAP file tx handling
  • Bug #3433: coverity: CID 1456679: Memory – corruptions (NEGATIVE_RETURNS)
  • Bug #3434: coverity: CID 1456680: Incorrect expression (IDENTICAL_BRANCHES)
  • Bug #3469: gcc10: compilation failure unless -fcommon is supplied (5.0.x)
  • Bug #3473: Dropping privileges does not work with NFLOG (5.0.x)
  • Documentation #3423: readthedocs shows title of documentation as “Suricata unknown documentation”

Special thanks

Jason Taylor, Timo Sigurdsson, vanlink

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.7 released

We’re pleased to announce Suricata 4.1.7. This release fixes a number of issues found in the 4.1 branch.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.7.tar.gz

Changes

  • Bug #3417: –disable-geoip does not work (4.1.x)
  • Bug #3448: Suricata 4.1 Seg Fault: Socket Control pcap-file and corrupt pcap
  • Bug #3452: smb: post-GAP file tx handling (4.1.x)
  • Bug #3453: coverity: CID 1456680: Incorrect expression (IDENTICAL_BRANCHES) (4.1.x)
  • Bug #3470: gcc10: compilation failure unless -fcommon is supplied (4.1.x)
  • Bug #3471: nfs: post-GAP some transactions never close (4.1.x)
  • Bug #3472: nfs: post-GAP file tx handling (4.1.x)
  • Bug #3474: Dropping privileges does not work with NFLOG (4.1.x)

Special thanks

Danny Browning, Fabrice Fontaine, Timo Sigurdsson, vanlink

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 5.0.1 released

We’re pleased to announce Suricata 5.0.1. This release fixes a number of issues found in the 5.0 branch. There are still a number of open issues that we are working on. See our 5.0.2 target here: https://redmine.openinfosecfoundation.org/versions/142

This release fixes a number of IPv4 and TCP evasion issues reported by Nicolas Adba.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-5.0.1.tar.gz

Changes

  • Bug #1871: intermittent abort()s at shutdown and in unix-socket
  • Bug #2810: enabling add request/response http headers in master
  • Bug #3047: byte_extract does not work in some situations
  • Bug #3073: AC_CHECK_FILE on cross compile
  • Bug #3103: –engine-analysis warning for flow on an icmp request rule
  • Bug #3120: nfq_handle_packet error -1 Resource temporarily unavailable warnings
  • Bug #3237: http_accept not treated as sticky buffer by –engine-analysis
  • Bug #3254: tcp: empty SACK option leads to decoder event
  • Bug #3263: nfq: invalid number of bytes reported
  • Bug #3264: EVE DNS Warning about defaulting to v2 as version is not set.
  • Bug #3266: fast-log: icmp type prints wrong value
  • Bug #3267: Support for tcp.hdr Behavior
  • Bug #3275: address parsing: memory leak in error path
  • Bug #3277: segfault when test a nfs pcap file
  • Bug #3281: Impossible to cross-compile due to AC_CHECK_FILE
  • Bug #3284: hash function for string in dataset is not correct
  • Bug #3286: TCP evasion technique by faking a closed TCP session
  • Bug #3324: TCP evasion technique by overlapping a TCP segment with a fake packet
  • Bug #3328: bad ip option evasion
  • Bug #3340: DNS: DNS over TCP transactions logged with wrong direction.
  • Bug #3341: tcp.hdr content matches don’t work as expected
  • Bug #3345: App-Layer: Not all parsers register TX detect flags that should
  • Bug #3346: BPF filter on command line not honored for pcap file
  • Bug #3362: cross compiling not affecting rust component of surrcata
  • Bug #3376: http: pipelining tx id handling broken
  • Bug #3386: Suricata is unable to get MTU from NIC after 4.1.0
  • Bug #3389: EXTERNAL_NET no longer working in 5.0 as expected
  • Bug #3390: Eve log does not generate pcap_filename when Interacting via unix socket in pcap processing mode
  • Bug #3397: smtp: file tracking issues when more than one attachment in a tx
  • Bug #3398: smtp: ‘raw-message’ option file tracking issues with multi-tx
  • Bug #3399: smb: post-GAP some transactions never close
  • Bug #3401: smb1: ‘event only’ transactions for bad requests never close
  • Bug #3411: detect/asn1: crashes on packets smaller than offset setting
  • Task #3364: configure: Rust 1.37+ has cargo-vendor support bundled into cargo.
  • Documentation #2885: update documentation to indicate -i can be used multiple times
  • Bundle Suricata-Update 1.1.1
  • Bundle Libhtp 0.5.32

Special thanks

Nicolas Adba, Alexander Gozman, Ciprian, Daisu, EmilienCourt, Fabrice Fontaine, Pascal Delalande, Steven Hostetler, Wesley van der Ree, Jason Taylor

Trainings

See https://suricata_events.eventbrite.com/ for the current list of planned training sessions.

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.6 released

We’re pleased to announce Suricata 4.1.6. This release fixes a number of issues found in the 4.1 branch.

This release fixes a number of IPv4 and TCP evasion issues reported by Nicolas Adba.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.6.tar.gz

Changes

  • Bug #3276: address parsing: memory leak in error path (4.1.x)
  • Bug #3278: segfault when test a nfs pcap file (4.1.x)
  • Bug #3279: ikev2 enabled in config even if Rust is disabled
  • Bug #3325: lua issues on arm (fedora:29) (4.1.x)
  • Bug #3326: Static build with pcap fails (4.1.x)
  • Bug #3327: tcp: empty SACK option leads to decoder event (4.1.x)
  • Bug #3347: BPF filter on command line not honored for pcap file (4.1.x)
  • Bug #3355: DNS: DNS over TCP transactions logged with wrong direction. (4.1.x)
  • Bug #3356: DHCP: Slow down over time due to lack of detect flags (4.1.x)
  • Bug #3369: byte_extract does not work in some situations (4.1.x)
  • Bug #3385: fast-log: icmp type prints wrong value (4.1.x)
  • Bug #3387: suricata is logging tls log repeatedly if custom mode is enabled (4.1.x)
  • Bug #3388: TLS Lua output does not work without TLS log (4.1.x)
  • Bug #3391: Suricata is unable to get MTU from NIC after 4.1.0 (4.1.x)
  • Bug #3393: http: pipelining tx id handling broken (4.1.x)
  • Bug #3394: TCP evasion technique by overlapping a TCP segment with a fake packet (4.1.x)
  • Bug #3395: TCP evasion technique by faking a closed TCP session (4.1.x)
  • Bug #3402: smb: post-GAP some transactions never close (4.1.x)
  • Bug #3403: smb1: ‘event only’ transactions for bad requests never close (4.1.x)
  • Bug #3404: smtp: file tracking issues when more than one attachment in a tx (4.1.x)
  • Bug #3405: Filehash rule does not fire without filestore keyword
  • Bug #3410: intermittent abort()s at shutdown and in unix-socket (4.1.x)
  • Bug #3412: detect/asn1: crashes on packets smaller than offset setting (4.1.x)
  • Task #3367: configure: Rust 1.37+ has cargo-vendor support bundled into cargo (4.1.x)
  • Bundle Suricata-Update 1.0.6
  • Bundle Libhtp 0.5.32

Special thanks

Nicolas Adba, Mats Klepsland, Fabrice Fontaine

Trainings

See https://suricata_events.eventbrite.com/ for the current list of planned training sessions.

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.