Archive | release RSS for this section

Suricata 4.0 released!

We are thrilled to announce Suricata 4.0. This is a major new release, improving detection capabilities, adding new output options and more protocols.suri-400x400

Improved Detection

Based on valuable feedback from the rule writing teams at Emerging Threats and Positive Technologies we’ve added and improved many rule keywords for inspecting HTTP, SSH and other protocols. TLS additions were contributed by Mats Klepsland at NorCERT, including decoding, logging and matching on TLS serial numbers. Additionally, Suricata now allows rule writers to specify who’s the target in a signature. This information is used in EVE JSON logging to give more context with alerts.

TLS improved, NFS added

More on the TLS side: A major new feature is support for STARTTLS in SMTP and FTP. TLS sessions will now be logged in these cases. More goodness from Mats Klepsland. Also, TLS session resumption logging is now supported thanks to the work of Ray Ruvinskiy. Additional TLS logging improvements were done by Paulo Pacheco.

NFS decoding, logging and file extraction was added as part of the experimental Rust support. Read on for more information about Rust.

More EVE JSON

EVE is extended in several ways:

  • in the case of encapsulated traffic both the inner and outer ip addresses and ports are logged
  • the ‘vars’ facility logs flowbits and other vars. This can also be used to log data extracted from traffic using a PCRE statement in rules
  • EVE can now be rotated based on time
  • EVE was extended to optionally log the HTTP request and/or response bodies
  • the (partial) flow record is added to alert records.

The ‘vars’ facility is one of the main improvements here, as it is now possible for a signature to accurately extract information for logging. For instance, a signature can extract an advertised software version or other information such as the recipient of an email. [https://blog.inliniac.net/2016/12/20/suricata-bits-ints-and-vars/]

First Step into a Safer Future

This is the first release in which we’ve implemented parts in the Rust language using the Nom parser framework. This work is inspired by Pierre Chiffliers’ (ANSSI), talk at SuriCon 2016 (pdf). By compiling with –enable-rust you’ll get a basic NFS parser and a re-implementation of the DNS parser. Feedback on this is highly appreciated.

The Rust support is still experimental, as we are continuing to explore how it functions, performs and what it will take to support it in the community. Additionally we included Pierre Chiffliers Rust parsers work. This uses external Rust parser ‘crates’ and is enabled by using –enable-rust-experimental. Initially this adds a NTP parser.

Under the Hood

A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode. First steps in TCP GAP recovery were taken, with implementations for DNS and NFS.

For developers, this release makes extending the detection engine with high performance keywords a lot easier. Adding a new high performance keyword using multi pattern matching does now requires only a few lines of code.

Documentation

David Wharton at SecureWorks has created a section in the documentation for rule writers who have a background in Snort. It documents changes that are relevant for writing rules.

Next steps

Based on the feedback we’ll get we’re expecting to do a 4.0.1 release in a month or so. Then we’ll start work on the next major release, which is 4.1. This is planned for late fall, ETA before SuriCon in Prague.

Feature tickets

  • Feature #806: Implement STARTTLS support
  • Feature #2006: tls: decode certificate serial number
  • Feature #1969: TLS transactions with session resumption are not logged
  • Feature #2129: nfs: parser, logger and detection
  • Feature #2130: dns: rust parser with stateless behaviour
  • Feature #2131: nfs: implement GAP support
  • Feature #2163: ntp parser
  • Feature #2164: rust: external parser crate support
  • Feature #2077: Additional HTTP Header Contents and Negation
  • Feature #2011: eve.alert: print outside IP addresses on alerts on traffic inside tunnels
  • Feature #2095: eve: http body in alert event
  • Feature #1978: Using date in logs name
  • Feature #1998: eve.tls: custom TLS logging
  • Feature #2046: Support custom file permissions per logger
  • Feature #2123: unix-socket: additional runmodes
  • Feature #2132: eve: flowbit and other vars logging
  • Feature #2156: Add app_proto or partial flow entry to alerts
  • Feature #744: Teredo configuration
  • Feature #2061: lua: get timestamps from flow
  • Feature #1953: lua: expose flow_id
  • Feature #1748: lua: expose tx in alert lua scripts
  • Feature #1636: Signal rotation of unified2 log file without restart
  • Feature #2133: unix socket: add/remove hostbits
  • Feature #805: Add support for applayer change

For all other closed tickets please see the full changelog of 4.0.

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.0.tar.gz

Special thanks

Mats Klepsland – for his major contributions: many EVE and TLS features

Pierre Chifflier – for paving the way for the Rust experiment and being very helpful while learning Rust and Nom.

Additionally: Abdullah Ada, Jérémy Beaume, Sebastian Garcia, Alexander Gozman, Giuseppe Longo, Paulo Pacheco, Selivanov Pavel, Ray Ruvinskiy, Peter Sanders, David Wharton, Jon Zeolla, the AFL project and Coverity Scan.

Suricata Trainings and Events

We have several community events and trainings on the calendar and in the works for 2017… here are some of the highlights:

  • 5-Day Developer Deep Dive Training – Sept 11 – 15, 2017, Cork, Ireland – led by Victor Julien, Eric Leblond, and Jason Ish
  • Rule Writing Training @ DerbyCon – Sept 20 – 24, 2017 – SOLD OUT!
  • Rule Writing Training @ SuriCon – Nov 13 – 14, 2017
  • 2-Day Suricata Training @ SuriCon – Nov 13 – 14, 2017
  • SuriCon 2017 – Nov 15 – 17, 2017, Prague

Details and registration for all our events can be found at https://suricata_events.eventbrite.com. Don’t delay as space is limited.

We also offer custom training events for your team – contact us at info@oisf.net for details.

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 4.0.0-rc2 ready for testing!

suri-400x400

We are proud to announce that the second release candidate for the upcoming Suricata 4.0.0 is ready for your testing.

We’re aiming for a final 4.0.0 release about 2 weeks from now. Please help us test!

Changes

  • Feature #744: Teredo configuration
  • Feature #1748: lua: expose tx in alert lua scripts
  • Bug #1855: alert number output
  • Bug #1888: noalert in a pass rule disables the rule
  • Bug #1957: PCRE lowercase enforcement in http_host buffer does not allow for upper case in hex-encoding
  • Bug #1958: Possible confusion or bypass within the stream engine with retransmits.
  • Bug #2110: isdataat: keyword memleak
  • Bug #2162: rust/nfs: reachable asserting rust panic
  • Bug #2175: rust/nfs: panic – 4.0.0-dev (rev 7c25a2d)
  • Bug #2176: gcc 7.1.1 ‘format truncation’ compiler warnings
  • Bug #2177: asn1/der: stack overflow

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.0-rc2.tar.gz

Special thanks

AFL project, Abdullah Ada

Trainings

SuriCon 2017

Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be in November in Prague: https://suricon.net

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.2.3 available!

suri-400x400

We are pleased to announce Suricata 3.2.3. This release fixes a fairly small number of issues. The most important one is an issue we found using AFL in the DER/ASN1 parser. This has the potential to crash your Suricata instance.

Changes

  • Bug #2089: engine file logging race condition (3.2.x)
  • Bug #2173: openbsd: pcap with raw datalink not supported (3.2.x)
  • Bug #2178: asn1/der: stack overflow (3.2.x)
  • Bug #2179: Possible confusion or bypass within the stream engine with retransmits. (3.2.x)
  • Bug #2183: gcc 7.1.1 ‘format truncation’ compiler warnings (3.2.x)

Download

https://www.openinfosecfoundation.org/download/suricata-3.2.3.tar.gz

Special thanks

AFL project

Trainings

SuriCon 2017

Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be in November in Prague: https://suricon.net

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 4.0.0-rc1 ready for testing!

suri-400x400

We are proud to announce that the first release candidate for the upcoming Suricata 4.0.0 is ready for your testing. Since the beta1 release we’ve received much valuable feedback, leading to lots of fixed issues.

Notable changes: initial merge of Pierre Chiffliers Rust parsers work. This uses external Rust parser ‘crates’ and is enabled by using –enable-rust-experimental. This is even more experimental than –enable-rust, so use with care. Initially this adds a NTP parser.

The NFS parser adds support for catching up after packet loss, adds UDP support and basic NFSv2 support.

EVE was extended to optionally log the HTTP request and/or response bodies. Also new in EVE, the (partial) flow record is added to alert records.

We’re aiming for a final 4.0.0 release one month from now. If needed a rc2 release may be added to the schedule. Please help us test!

Changes

  • Feature #2095: eve: http body in alert event
  • Feature #2131: nfs: implement GAP support
  • Feature #2156: Add app_proto or partial flow entry to alerts
  • Feature #2163: ntp parser
  • Feature #2164: rust: external parser crate support
  • Bug #1930: Segfault when event rule is invalid
  • Bug #2038: validate app-layer API use
  • Bug #2109: asn1: keyword memleak
  • Bug #2141: 4.0.0-dev (rev 8ea9a5a) segfault
  • Bug #2143: Bypass cause missing alert on packets only signatures
  • Bug #2144: rust: panic in dns/tcp
  • Bug #2148: rust/dns: panic on malformed rrnames
  • Bug #2153: starttls ‘tunnel’ packet issue – nfq_handle_packet error -1
  • Bug #2154: Dynamic stack overflow in payload printable output
  • Bug #2155: AddressSanitizer double-free error
  • Bug #2157: Compilation Issues Beta 4.0
  • Bug #2158: Suricata v4.0.0-beta1 dns_query; segmentation fault
  • Bug #2159: http: 2221028 triggers on underscore in hostname
  • Bug #2160: openbsd: pcap with raw datalink not supported
  • Bug #2161: libhtp 0.5.25
  • Bug #2165: rust: releases should include crate dependencies (cargo-vendor)

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.0-rc1.tar.gz

Special thanks

Pierre Chifflier, Selivanov Pavel, Giuseppe Longo

Trainings

SuriCon 2017

Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be in November in Prague: https://suricon.net

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 4.0.0-beta1 ready for testing!

suri-400x400

We are proud to announce that the first release for the upcoming Suricata 4.0.0-beta1 is ready for testing.

This release features our first experimental steps into using the Rust language for creating safer and easier to develop parsers. Inspired by Pierre Chiffliers talk at SuriCon 2016 (pdf). This initial integration does not yet include Pierre’s work, but this will likely change in the near future.
By compiling with –enable-rust you’ll get a basic NFSv3 parser and reimplementation of the DNS parser. Feedback on this is highly appreciated.

A major new feature is support for STARTTLS in SMTP and FTP. TLS sessions will now be logged in these cases. Decoding, logging and matching on TLS sertial numbers was also added. Great work by Mats Klepsland. Also for TLS, session resumption logging is now supported thanks to the work of Ray Ruvinskiy. TLS logging was improved by Paulo Pacheco.

Lots of new HTTP detection options were added to make matching on specific header fields easier and more efficient. New SSH keywords that are fast_pattern capable have also been added. For developers, this release makes extending the detection engine a lot easier.

A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode.

EVE is extended in several ways: in the case of encapsulated traffic both the inner and outer ip addresses and ports are logged. The ‘vars’ facility logs flowbits and other vars. This can also be used to extract data from the traffic using PCRE, and then log it. EVE can also be rotated based on time.

David Wharton has created a section in the documentation for rule writers who have a background in Snort. It documents changes that are relevant for writing rules.

Paulo Pacheco has been improving the Redis output performance.

Note that this release finally drops support for CentOS 5, and for libpcap 0.x with it.

Changes

  • Feature #805: Add support for applayer change
  • Feature #806: Implement STARTTLS support
  • Feature #1636: Signal rotation of unified2 log file without restart
  • Feature #1953: lua: expose flow_id
  • Feature #1969: TLS transactions with session resumption are not logged
  • Feature #1978: Using date in logs name
  • Feature #1998: eve.tls: custom TLS logging
  • Feature #2006: tls: decode certificate serial number
  • Feature #2011: eve.alert: print outside IP addresses on alerts on traffic inside tunnels
  • Feature #2046: Support custom file permissions per logger
  • Feature #2061: lua: get timestamps from flow
  • Feature #2077: Additional HTTP Header Contents and Negation
  • Feature #2129: nfs: parser, logger and detection
  • Feature #2130: dns: rust parser with stateless behaviour
  • Feature #2132: eve: flowbit and other vars logging
  • Feature #2133: unix socket: add/remove hostbits
  • Bug #1335: suricata option –pidfile overwrites any file
  • Bug #1470: make install-full can have race conditions on OSX.
  • Bug #1759: CentOS5 EOL tasks
  • Bug #2037: travis: move off legacy support
  • Bug #2039: suricata stops processing when http-log output via unix_stream backs up
  • Bug #2041: bad checksum 0xffff
  • Bug #2044: af-packet: faulty VLAN handling in tpacket-v3 mode
  • Bug #2045: geoip: compile warning on CentOS 7
  • Bug #2049: Empty rule files cause failure exit code without corresponding message
  • Bug #2051: ippair: xbit unset memory leak
  • Bug #2053: ippair: pair is direction sensitive
  • Bug #2070: file store: file log / file store mismatch with multiple files
  • Bug #2072: app-layer: fix memleak on bad traffic
  • Bug #2078: http body handling: failed assertion
  • Bug #2088: modbus: clang-4.0 compiler warnings
  • Bug #2093: Handle TCP stream gaps.
  • Bug #2097: “Name of device should not be null” appears in suricata.log when using pfring with configuration from suricata.yaml
  • Bug #2098: isdataat: fix parsing issue with leading spaces
  • Bug #2108: pfring: errors when compiled with asan/debug
  • Bug #2111: doc: links towards http_header_names
  • Bug #2112: doc: links towards certain http_ keywords not working
  • Bug #2113: Race condition starting Unix Server
  • Bug #2118: defrag – overlap issue in linux policy
  • Bug #2125: ASAN SEGV – Suricata version 4.0dev (rev 922a27e)
  • Optimization #521: Introduce per stream thread segment pool
  • Optimization #1873: Classtypes missing on decoder-events,files, and stream-events

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.0-beta1.tar.gz

Special thanks

Mats Klepsland – for his major contributions: many EVE and TLS features

Pierre Chifflier – for paving the way for the Rust experiment and being very helpful while learning Rust and Nom.

Additionally: Jérémy Beaume, Alexander Gozman, Paulo Pacheco, Ray Ruvinskiy, Peter Sanders, David Wharton, Jon Zeolla

Trainings

SuriCon 2017

Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be in November in Prague: https://suricon.net

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.2.2 available!

suri-400x400

We are pleased to announce Suricata 3.2.2. This release fixes a fairly small number of issues.

It also improves the unix-socket runmode by allowing both ‘single’ and ‘autofp’ runmodes to be specified.

Changes

  • Feature #1675: Support additional runmodes for unix-socket
  • Bug #2043: 3.2.x backport: make install-full can have race conditions on OSX.
  • Bug #2047: af-packet: faulty VLAN handling in tpacket-v3 mode (3.2.x)
  • Bug #2048: bad checksum 0xffff (3.2.x)
  • Bug #2052: ippair: xbit unset memory leak (3.2.x)
  • Bug #2071: file store: file log / file store mismatch with multiple files (3.2.x)
  • Bug #2073: app-layer: fix memleak on bad traffic (3.2.x)
  • Bug #2079: http body handling: failed assertion (3.2.x)
  • Bug #2085: ippair: pair is direction sensitive (3.2.x)
  • Bug #2119: 3.2.x – defrag – overlap issue in linux policy
  • Bug #2122: unix socket: race condition on start up (3.2.x)

Download

https://www.openinfosecfoundation.org/download/suricata-3.2.2.tar.gz

Special thanks

Jérémy Beaume, Alexander Gozman, Zoltan Herczeg and Jon Zeolla

Trainings

SuriCon 2017

Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be in November in Prague: https://suricon.net

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.2.1 available!

suri-400x400

We’re pleased to announce Suricata 3.2.1. This release features a large number of improvements and fixes over the 3.2 release.
Most importantly it fixes a IPv4 defrag issue that allows evasion of detection and logging. Found and reported by Jérémy Beaume.

Changes

  • Feature #1951: Allow building without libmagic/file
  • Feature #1972: SURICATA ICMPv6 unknown type 143 for MLDv2 report
  • Feature #2010: Suricata should confirm SSSE3 presence at runtime when built with Hyperscan support
  • Bug #467: compilation with unittests & debug validation
  • Bug #1780: VLAN tags not forwarded in afpacket inline mode
  • Bug #1827: Mpm AC fails to alloc memory
  • Bug #1843: Mpm Ac: int overflow during init
  • Bug #1887: pcap-log sets snaplen to -1
  • Bug #1946: can’t get response info in some situation
  • Bug #1973: suricata fails to start because of unix socket
  • Bug #1975: hostbits/xbits memory leak
  • Bug #1982: tls: invalid record event triggers on valid traffic
  • Bug #1984: http: protocol detection issue if both sides are malformed
  • Bug #1985: pcap-log: minor memory leaks
  • Bug #1987: log-pcap: pcap files created with invalid snaplen
  • Bug #1988: tls_cert_subject bug
  • Bug #1989: SMTP protocol detection is case sensitive
  • Bug #1991: Suricata cannot parse ports: “![1234, 1235]”
  • Bug #1997: tls-store: bug that cause Suricata to crash
  • Bug #2001: Handling of unsolicited DNS responses.
  • Bug #2003: BUG_ON body sometimes contains side-effectual code
  • Bug #2004: Invalid file hash computation when force-hash is used
  • Bug #2005: Incoherent sizes between request, capture and http length
  • Bug #2007: smb: protocol detection just checks toserver
  • Bug #2008: Suricata 3.2, pcap-log no longer works due to timestamp_pattern PCRE
  • Bug #2009: Suricata is unable to get offloading settings when run under non-root
  • Bug #2012: dns.log does not log unanswered queries
  • Bug #2017: EVE Log Missing Fields
  • Bug #2019: IPv4 defrag evasion issue
  • Bug #2022: dns: out of bound memory read

Download

https://www.openinfosecfoundation.org/download/suricata-3.2.1.tar.gz

Special thanks

Jérémy Beaume, Mats Klepsland, Sascha Steinbiss, Alexander Gozman, Peter Sanders, Travis Green, AFL, CoverityScan

Training & Support

The next user training will be at the Troopers17 conference in Germany, March 20 and 21. Sign up at https://www.troopers.de/events/troopers17/734_suricata_world-class_and_open_source/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1.4 available!

suri-400x400

We’re pleased to announce Suricata 3.1.4. The most important fix is for a IPv4 defrag issue that allows evasion of detection and logging, found and reported by Jérémy Beaume. Otherwise this release is mostly a collection of smaller fixes.

Download

https://www.openinfosecfoundation.org/download/suricata-3.1.4.tar.gz

Changes

  • Bug #2024: No error on missing semicolon between depth and classtype (3.1.x)
  • Bug #2025: hostbits/xbits memory leak (3.1.x)
  • Bug #2026: log-pcap: pcap files created with invalid snaplen (3.1.x)
  • Bug #2027: BUG_ON body sometimes contains side-effectual code (3.1.x)
  • Bug #2028: Mpm Ac: int overflow during init (3.1.x)
  • Bug #2029: EVE Log Missing Fields (3.1.x)
  • Bug #2030: Incoherent sizes between request, capture and http length (master 3.1.x)
  • Bug #2031: tls-store: bug that cause Suricata to crash (3.1.x)
  • Bug #2032: VLAN tags not forwarded in afpacket inline mode (3.1.x)
  • Bug #2033: IPv4 defrag evasion issue (3.1.x)

Special thanks

Jérémy Beaume, Alexander Gozman, Mats Klepsland, Sascha Steinbiss, Tom DeCanio, AFL, Coverity Scan

Training & Support

The next user training will be at the Troopers17 conference in Germany, March 20 and 21. Sign up at https://www.troopers.de/events/troopers17/734_suricata_world-class_and_open_source/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.2 available!

suri-400x400
The OISF and Suricata development team is really proud to announce the availability of Suricata 3.2. This was a real community effort with 12 different contributors from 9 different countries that added to the work of Suricata core team. Thanks a lot for these contributions!

Suricata 3.2 comes with some new features that can help a Meerkat to stay awake when on a guard watch. The support of industrial networks has been greatly improved with the addition of two new protocols, DNP3 and CIP/ENIP. But we can’t forget the improvements on the TLS side with new fields available for matching and logging such as certificate validity dates. On file matching and logging, it is now possible to use SHA1/SHA256 in addition to the obsolete MD5.

On the performance side, Suricata 3.2 run as fast as a Cheetah with the addition of the bypass mechanism that can help to fix the challenging Elephant flows. Another big improvement comes from the pre-filter system that allows packet inspecting keywords to be much faster.

Documentation has received a huge overhaul, with PDF and other formats now available: http://suricata.readthedocs.io/en/suricata-3.2/

On usability side, one can note that incompatible NIC offloading is now switched off by default. Also, the unix command socket is now enabled by default.

For those of you into lists, here you are:

Big changes

  • bypass
  • pre-filter — fast packet keywords
  • TLS improvements
  • SCADA/ICS protocol additions: DNP3 CIP/ENIP
  • SHA1/SHA256 for file matching, logging & extraction
  • Sphinx documentation

Visible smaller changes

  • NIC offloading disabled by default
  • unix command socket enabled by default
  • App Layer stats

Under the hood

  • threading simplification (log api + no more thread restarts)
  • flow manager optimization
  • simplify adding keywords
  • luajit improvements wrt memory handling in large deployments

Download

https://www.openinfosecfoundation.org/download/suricata-3.2.tar.gz

Special thanks

Stamus Networks, NorCert, Solana Networks, FireEye, Proofpoint, CoverityScan

Mats Klepsland, Giuseppe Longo, Duarte Silva, Tom Decanio, Kevin Wong, Nicolas Thill, Duarte Silva, Thomas Andrejak, Paulo Pacheco, Priit Laes, Alexander Gozman

Training & Support

Need help installing, updating, validating and tuning Suricata? OISF organizes regular user and developer training sessions. Keep an eye on https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.2RC1 ready for testing

We’re happy to announce Suricata 3.2RC1. The biggest addition to this release is the DNP3 support. We don’t expect many changes after this release candidate, so please help us test it!

Get the release here:

https://www.openinfosecfoundation.org/download/suricata-3.2RC1.tar.gz

High level changes

  • Feature #1745: DNP3 protocol support.
  • Feature #1906: doc: install man page and ship pdf
  • Feature #1916: lua: add an SCPacketTimestamp function
  • Feature #1867: rule compatibility: flow:not_established not supported.
  • Bug #1525: Use pkg-config for libnetfilter_queue
  • Bug #1690: app-layer-proto negation issue
  • Bug #1909: libhtp 0.5.23
  • Bug #1914: file log always shows stored: no even if file is stored
  • Bug #1917: nfq: bypass SEGV
  • Bug #1919: filemd5: md5-list does not allow comments any more
  • Bug #1923: dns – back to back requests results in loss of response
  • Bug #1928: flow bypass leads to memory errors
  • Bug #1931: multi-tenancy fails to start
  • Bug #1932: make install-full does not install tls-events.rules
  • Bug #1935: Check redis reply in non pipeline mode
  • Bug #1936: Can’t set fast_pattern on tls_sni content

Special thanks

Nicolas Thill, Duarte Silva, Thomas Andrejak, Paulo Pacheco, Priit Laes, CoverityScan

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. Agenda and speakers are now available, including keynote speakers Ron Gula and Liam Randall. Please see: http://suricon.net/

Training & Support

Need help installing, updating, validating, tuning and extending Suricata? We have a training session coming up at SuriCon: November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/ Conference attendees get a 20% discount!

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.