Suricata 6.0.0 released

We are proud to announce Suricata 6.0. This major new release is the result of a year of work by the OISF development team and the Suricata community.

During this development cycle, the focus has been on:

  • stability and robustness
  • performance
  • support for new protocols like HTTP/2, MQTT and RFB
  • improvements to existing protocols DCERPC, SSH
  • extendibility
  • improvements to detection capabilities

Get the release here:
https://www.openinfosecfoundation.org/downloads/suricata-6.0.0.tar.gz

This release comes with libhtp 0.5.35 and Suricata-Update 1.2.0

Power of the community

A lot of the features and improvements have been made by community members:

  • MQTT (Sascha Steinbiss)
  • RFB (Frank Honza)
  • HASSH (Vadym Malakhatko)
  • ASN.1 Rust (Pierre Chifflier and Emmanuel Thompson)
  • cbindgen (Danny Browning)
  • nom 5 conversion (Pierre Chifflier)
  • Napatech bypass support (Phil Young)
  • MAC address logging in EVE (Sascha Steinbiss)
  • Geneve decoder (Ali Jad Khalil)
  • more detailed DNS logging (Simon Dugas)

List of git committers: Pierre Chifflier, Sascha Steinbiss, Emmanuel Thompson, Todd Mortimer, Vadym Malakhatko, Phil Young, Roland Fischer, Simon Dugas, Jason Taylor, Ali Jad Khalil, James Dutrisac, Joshua Lumb, Zach Kelly, Angelo Mirabella, Antti Tönkyrä, Carl Smith, Danny Browning,
Frank Honza, Giuseppe Longo, Ilya Bakhtin, Odin Jenseg, Stephen Donnelly,
Timo Sigurdsson, Tristan Fletcher, William Stearns, Xiaofan Wang,
Zackeus Bengtsson

Other contributors we’d like to especially thank: David Beckett for HTTP/2 testing and pcaps; Bastien Delvalle and Louis Jacotot (Telecom Nancy) for SMB evasion research and testcases.

Notable Optimizations

  • faster EVE log generation using our own Rust language JSON string builder
  • much better EVE log scaling by allowing a log file per thread
  • flow engine improvments – esp when under resource constraints

Securing Suricata

  • ASN1 handling is now entirely done in Rust code
  • DCERPC, SSH have been reimplemented in Rust
  • new protocols have been implemented in Rust
  • many fixes as a result of OSS-Fuzz testing

Rule language

  • from_end support for byte_jump keyword
  • bitmask support for byte_test keyword
  • byte_math support
  • flowbit OR support
  • pcrexform keyword: use pcre with substring capture as a transform
  • urldecode transform was added

For developers

  • Use cbindgen to create Rust-C bindings (Danny Browning)
  • initial plugin support
  • libfuzzer (OSS-Fuzz) support
  • clang-format support (Roland Fischer)

Removals

  • unified2 has been removed
  • filestore v1 has support has been removed
  • drop log

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.9 and 5.0.4 released

We are pleased to announce the releases of Suricata 4.1.9 and 5.0.4.

These are the second releases after Suricata joined the Oss-Fuzz program, leading to discovery of a number of (potential) security issues. We recommend upgrading as soon as possible.

For the 4.1 branch we’re also announcing the EOL date: December 31st, 2020.

Get the releases here:
https://www.openinfosecfoundation.org/download/suricata-5.0.4.tar.gz
https://www.openinfosecfoundation.org/download/suricata-4.1.9.tar.gz

Notable Changes

Libhtp has been updated to 0.5.35
5.0.4: Suricata-Update updated to 1.1.3
5.0.4: Geneve packet decoder was added (disabled by default)
5.0.4: all tickets https://redmine.openinfosecfoundation.org/versions/149
4.1.9: all tickets https://redmine.openinfosecfoundation.org/versions/148

Special Thanks

Oss-Fuzz, Coverity Scan, Ali Jad Khalil, Angelo Mirabella, Antti Tönkyrä, Emmanuel Thompson, Ilya Bakhtin

Free Webinar

Join our Free webinar next week on Suricata and OPNsense: https://www.eventbrite.com/e/webinar-opnsense-and-suricata-a-great-combination-lets-get-started-tickets-117996028297

Past webinar recording can be found in our youtube channel: https://www.youtube.com/c/OISFSuricata

Forums

Join our new Forum at https://forum.suricata.io/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Webinar – OPNsense and Suricata a great combination, let’s get started!

OPNsense is an open source, easy-to-use and easy-to-build HardenedBSD based firewall and routing platform. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. The inline IPS system of OPNsense is based on Suricata and utilizes Netmap to enhance performance and minimize CPU utilization. This deep packet inspection system is very powerful and can be used to mitigate security threats at wire speed. This webinar will take you through basic OPNSense setup before getting into Suricata installation and configuration. You will learn about different modes of operation, IDS versus IPS, and how to utilize the ET Pro Telemetry ruleset. By the end of this webinar you will be ready to run the latest version of Suricata in OPNSense to maximize visibility into your networks!

This is a free webinar but seats are limited. Please join us on 10/15/2020 by registering at: http://www.twitter.com/intent/tweet?text=I+am+attending+https://www.eventbrite.com/e/webinar-opnsense-and-suricata-a-great-combination-lets-get-started-tickets-117996028297?ref=estw

Academic Workshop – Getting Started with Suricata in the Classroom

We are pleased to announce our first academic workshop “Getting Started with Suricata in the Classroom”! This is a free workshop being offered those in an academic position and will require a valid EDU email address. Seats are limited!

Register here -> https://us02web.zoom.us/meeting/register/tZwkdeCgpjotHNNFCOsWHYEGXJW3LN2YbXO1

In this workshop, you will learn how to get started with Suricata to begin teaching it in the classroom or utilizing it for research purposes. Suricata is a free and open source, mature, fast and robust network threat detection engine capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline PCAP processing. Suricata inspects network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. With standard input and output formats like YAML and JSON integrations with tools like existing SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other databases become effortless. You will be provided with a training virtual machine based on the SELKS distribution along with digital copies of all slides and labs/lab guides. By the end of this workshop you will be ready to include Suricata in your course content.

Suricata 6.0.0rc1 ready for testing

We’re excited to announce the first release candidate for Suricata 6.0.

Please help us test this so we can release the final as planned at the end of the month.

Get the release here:
https://www.openinfosecfoundation.org/downloads/suricata-6.0.0-rc1.tar.gz

Major changes since beta1

– Geneve packet decoder was contributed
– DNS parsing and logging of SOA records was contributed
– HTTP parsing can now continue after data gaps
– datasets have been improved and will no longer be considered experimental
– HTTP/2 improvements

For an overview of what beta1 brought, see:
https://suricata-ids.org/2020/08/07/suricata-6-0-0-beta-1-released/

How you can help

We’re looking for feedback on how this release works in your environment. How easy the upgrade is, what performance looks like, etc. Report issues in our tickets or on the forum

Forum

Join our new Forum at https://forum.suricata.io/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Webinar – Releasing Suricata 6.0 RC1 and How You Can Get Involved

The Suricata project has maintained an aggressive release schedule of beta, release candidate and major/minor version releases. With the upcoming release of Suricata 6.0 RC1, it brings with it a wide range of new and exciting features. These features include initial HTTP/2 support, improved EVE logging performance, conditional logging and more. In this webinar, Suricata founder and lead developer Victor Julien will introduce Suricata 6.0 RC1, discuss major changes and the power of the Suricata community. We will also discuss ways in which you can get involved in supporting these releases through testing, documentation and other kinds of feedback.

This is a free webinar but seats are limited. To sign-up, go to: https://www.eventbrite.com/e/releasing-suricata-60-rc1-and-how-you-can-get-involved-tickets-119342646067?ref=estw

Suricata 6.0.0 beta 1 released

We’re happy to announce Suricata 6.0.0 beta 1. This is a test version for a new major feature release of Suricata.

Originally planned to be released as a release candidate we wanted to get a few more interesting things in that are still a bit rough around the edges. So the plan is now to release 6.0RC1 early September and then the final late September.

We are hoping for some of you to take this beta and test it in your environment and report any issues to us.

Get the release here:
https://www.openinfosecfoundation.org/downloads/suricata-6.0.0-beta1.tar.gz

Major changes

– initial HTTP/2 support
– DCERPC logging
– much improved EVE logging performance
– RFB and MQTT protocol support, including detection and logging
– HASSH support
– conditional logging

Power of the community

Several features and improvements have been made by community members:

– MQTT (Sascha Steinbiss)
– RFB (Frank Honza)
– HASSH (Vadym Malakhatko)
– ASN.1 Rust (Pierre Chifflier and Emmanuel Thompson)
– cbindgen (Danny Browning)
– nom 5 conversion (Pierre Chifflier)
– Napatech bypass support (Phil Young)
– MAC address logging in EVE (Sascha Steinbiss)

List of git committers:

Pierre Chifflier, Sascha Steinbiss, Emmanuel Thompson, Todd Mortimer,
Phil Young, Vadym Malakhatko, Jason Taylor, James Dutrisac, Zach Kelly,
Joshua Lumb, Angelo Mirabella, Antti Tönkyrä, Danny Browning,
Frank Honza, Giuseppe Longo, Roland Fischer, Stephen Donnelly,
Timo Sigurdsson, Tristan Fletcher, William Stearns, Xiaofan Wang,
Zackeus Bengtsson

Notable Optimizations

– faster EVE log generation using our own Rust language JSON string builder
– much better EVE log scaling by allowing a log file per thread
– flow engine improvments – esp when under resource constraints

Removals

– unified2 has been removed
– filestore v1 has support has been removed
– drop log

Securing Suricata

– ASN1 handling is now entirely done in Rust code
– DCERPC, SSH have been reimplemented in Rust
– new protocols have been implemented in Rust

Rule language

– from_end support for byte_jump keyword
– bitmask support for byte_test keyword
– byte_math support
– flowbit OR support
– pcrexform keyword: use pcre with substring capture as a transform
– urldecode transform was added

For developers

– Use cbindgen to create Rust-C bindings (Danny Browning)
– initial plugin support
– libfuzzer (oss-fuzz) support

Forums

Join our new Forum at https://forum.suricata.io/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Virtual Training – Advanced Deployment and Architecture with Suricata

We are excited to announce Advanced Deployment and Architecture as a live, virtual training!

Details/registration: https://www.eventbrite.com/e/virtual-training-advanced-deployment-and-configuration-with-suricata-tickets-110794401036

This course will go in-depth in Suricata configuration and deployment considerations. You will learn which capture method is best for traffic acquisition, maximizing performance with runmodes and dive deep into Suricata’s detection engine and multi-pattern matchers. Discover how to expand Suricata’s detection and output capabilities with Lua scripting as well as anomaly detection and file extraction capabilities. Gain a deeper understanding of performance and tuning considerations through CPU affinity, Numa, threading and NIC RSS hashing. Alongside that understand specifics about deployments the cloud and the pros and cons of those. Details of what and how needs to be in place for the cloud security monitoring. Learn how to perform effective and exhaustive troubleshooting when situations like packet loss and system overloading occur. Finally, learn how to handle elephant flows, work with eXpress Data Path, how output generation affects your deployment and how to integrate Suricata with other tools such as an ELK stack, Splunk and other Linux-based distributions such as SELKS. This class also offers a unique opportunity to bring in-depth use cases, questions, challenges, and new ideas directly to the Suricata team. Take your deployment and configuration skills to an expert level with Suricata Advanced Deployment and Architecture!

Early bird pricing ends July 17th!

Webinar – Correlating Host & Network Data w/ Community ID in Sec Onion Hybrid Hunter

Modern security monitoring applications generate a considerable amount of data, making it essential for the analyst to be able to quickly pivot between different data sets. In this webinar, Correlating Host & Network Data w/ Community ID in Sec Onion Hybrid Hunter, we will show you how to use Community ID to quickly correlate events from the network to your hosts. Utilizing the next major version of Security Onion, code-named Hybrid Hunter, you will learn how Community ID can be used to correlate network flows from tools such as Suricata and Zeek with host-based events from osquery. This will allow you to more effectively pivot between your network and host data. By the end of this webinar you’ll have the insight needed to leverage Community ID to perform more effective analysis of your security logs.

This is a free webinar but seats are limited. To sign-up, go to:
https://www.eventbrite.com/e/correlating-host-network-data-w-community-id-in-sec-onion-hybrid-hunter-tickets-106774641828

Suricata 5.0.3 released

We are pleased to announce the release of Suricata 5.0.3. This is a larger than usual point release, with a number of important fixes.

This is the first release after Suricata joined the Oss-Fuzz program, leading to discovery of a number of (potential) security issues. We expect that in the coming months we’ll fix more such issues, as the fuzzers increase their coverage and we continue to improve the seed corpus.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-5.0.3.tar.gz

Changes

  • Feature #3481: GRE ERSPAN Type 1 Support
  • Feature #3613: Teredo port configuration
  • Feature #3673: datasets: add ‘dataset-remove’ unix command
  • Bug #3240: Dataset hash-size or prealloc invalid value logging
  • Bug #3241: Dataset reputation invalid value logging
  • Bug #3342: Suricata 5.0 crashes while parsing SMB data
  • Bug #3450: signature with sticky buffer with subsequent pcre check in a different buffer loads but will never match
  • Bug #3491: Backport 5 BUG_ON(strcasecmp(str, “any”) in DetectAddressParseString
  • Bug #3507: rule parsing: memory leaks
  • Bug #3526: 5.0.x Kerberos vulnerable to TCP splitting evasion
  • Bug #3534: Skip over ERF_TYPE_META records
  • Bug #3552: file logging: complete files sometimes marked ‘TRUNCATED’
  • Bug #3571: rust: smb compile warnings
  • Bug #3573: TCP Fast Open – Bypass of stateless alerts
  • Bug #3574: Behavior for tcp fastopen
  • Bug #3576: Segfault when facing malformed SNMP rules
  • Bug #3577: SIP: Input not parsed when header values contain trailing spaces
  • Bug #3580: Faulty signature with two threshold keywords does not generate an error and never match
  • Bug #3582: random failures on sip and http-evader suricata-verify tests
  • Bug #3585: htp: asan issue
  • Bug #3592: Segfault on SMTP TLS
  • Bug #3598: rules: memory leaks in pktvar keyword
  • Bug #3600: rules: bad address block leads to stack exhaustion
  • Bug #3602: rules: crash on ‘internal’-only keywords
  • Bug #3604: rules: missing ‘consumption’ of transforms before pkt_data would lead to crash
  • Bug #3606: rules: minor memory leak involving pcre_get_substring
  • Bug #3609: ssl/tls: ASAN issue in SSLv3ParseHandshakeType
  • Bug #3610: defrag: asan issue
  • Bug #3612: rules/bsize: memory issue during parsing
  • Bug #3614: build-info and configure wrongly display libnss status
  • Bug #3644: Invalid memory read on malformed rule with Lua script
  • Bug #3646: rules: memory leaks on failed rules
  • Bug #3649: CIDR Parsing Issue
  • Bug #3651: FTP response buffering against TCP stream
  • Bug #3653: Recursion stack-overflow in parsing YAML configuration
  • Bug #3660: Multiple DetectEngineReload and bad insertion into linked list lead to buffer overflow
  • Bug #3665: FTP: Incorrect ftp_memuse calculation.
  • Bug #3667: Signature with an IP range creates one IPOnlyCIDRItem by signe IP address
  • Bug #3669: Rules reload with Napatech can hang Suricata UNIX manager process
  • Bug #3672: coverity: data directory handling issues
  • Bug #3674: Protocol detection evasion by packet splitting
  • Optimization #3406: filestore rules are loaded without warning when filestore is not enabled
  • Task #3478: libhtp 0.5.33
  • Task #3514: SMTP should place restraints on variable length items (e.g., filenames)
  • Documentation #3543: doc: add ipv4.hdr and ipv6.hdr
  • Bundled libhtp 0.5.33
  • Bundled Suricata-Update 1.1.2

Special thanks

Oss-Fuzz, Coverity Scan, Sascha Steinbiss, Stephen Donnelly, Jason Taylor

Free Webinar

Join our Free webinar on Hunting Threats in Encrypted traffic: https://suricata-ids.org/2020/04/14/webinar-hunting-threats-that-use-encrypted-network-traffic-with-suricata/

Forums

Join our new Forum at https://forum.suricata.io/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.