Webinar – Continuously Fuzzing and Improving Suricata

Our first webinar of 2021 is here! Join Suricata developer Philippe Antoine as he discusses Continuously Fuzzing and Improving Suricata. Learn how fuzzing is implemented and ways it can be improved as a community, leading to more robust and resilient software.

Register -> https://www.eventbrite.com/e/webinar-continuously-fuzzing-and-improving-suricata-tickets-135348225185

This webinar is scheduled for January 21st, 2021 at 10am EST. A video recording will be made available after the webinar concludes and posted to the OISF/Suricata YouTube channel at https://www.youtube.com/channel/UCSpIq33gB7-Rl9NtUGrvHLQ

Virtual Training – Suricata and Splunk Workshops

This two-part workshop is intended to prepare security practitioners to have immediate success with Suricata using the Stamus App for Splunk

Early bird pricing ends Dec 17!
Register here -> https://suricata-splunk-workshop2021.eventbrite.com/?ref=estw

Part 1: In-depth introduction to Suricata data and Splunk

Wednesday 20 January 2021 | 11am-3pm US Eastern Time

Attendees will receive a thorough technical introduction to Suricata data analysis using the Stamus Networks App for Splunk, designed for both Suricata sensors and Stamus Networks probes. Attendees will discover how to view network activity using application layer metadata extracted by Suricata. We will also explore the use of Suricata statistical data to perform sensor health check and assess system performance.

This session will also walk attendees through the various capabilities of the Stamus Networks App for Splunk, including the various dashboards and visualization available. After a brief introduction to the Splunk Processing Language (SPL) in the context of Suricata data, we will describe the EVE format that is used for all Suricata generated events. We will use this knowledge to perform data analysis and explore the visualizations using real-world Suricata data.

Part 2: Threat Hunting and Anomaly Detection with Suricata and Splunk

Thursday, 21 January 2021 | 11am-3pm US Eastern Time

In part 2, attendees will explore threat analysis, threat hunting, and anomaly detection that leverage both the IDS and NSM capabilities of Suricata . Before diving into threat hunting, we will spend time learning simple data queries and ultimately even the most complex queries of the Stamus Networks App for Splunk.

Using packet capture file examples from Malware Traffic Analysis, we will discover how to leverage Splunk to take full-advantage of the Suricata data to detect threats on the network.

* Attendees will have access to Suricata data via a dedicated Splunk instance and will perform hands-on exercises to experiment for themselves.

Who will benefit:

  • Network security administrators
  • Security analysts

Prerequisite knowledge:

  • Basic knowledge of Splunk, including SPL
  • Basic knowledge of Suricata
  • Understanding of Suricata EVE format
  • TCP/IP networking

Suricata 6.0.1, 5.0.5 and 4.1.10 released

We are pleased to announce the releases of Suricata 6.0.1, 5.0.5 and 4.1.10. These releases are bug fix releases, fixing numerous important issues.

The 6.0.1 release also improves the experimental HTTP/2 support.

This will be the last release in the 4.1 series. If you are still on this branch, please upgrade to the 5 or 6 branch as soon as possible to make sure you can stay current on fixes and improvements.

Get the releases here:
6.0.1: https://www.openinfosecfoundation.org/download/suricata-6.0.1.tar.gz
5.0.5: https://www.openinfosecfoundation.org/download/suricata-5.0.5.tar.gz
4.1.10: https://www.openinfosecfoundation.org/download/suricata-4.1.10.tar.gz

Notable Changes

Libhtp has been updated to 0.5.36
6.0.1: http2: support file inspection API #4121
6.0.1: all tickets https://redmine.openinfosecfoundation.org/versions/157
5.0.5: all tickets https://redmine.openinfosecfoundation.org/versions/161
4.1.10: all tickets https://redmine.openinfosecfoundation.org/versions/160

Special Thanks

Oss-Fuzz, Coverity Scan, Ilya Bakhtin, Phil Young, Angelo Mirabella, Danny Browning, Sascha Steinbiss, Sumera Priyadarsini

Free Webinar

Join our free webinar next week on Suricata and Splunk: https://www.eventbrite.com/e/suricata-and-splunk-tap-into-the-power-of-suricata-with-the-new-splunk-app-tickets-128175800269, brought to you in cooperation with Stamus Networks.

Past webinar recording can be found in our youtube channel: https://www.youtube.com/c/OISFSuricata

Forums

Join our Forum at https://forum.suricata.io/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Webinar – Suricata and Splunk: Tap into the Power of Suricata with the new Splunk App

Join OISF and Stamus Networks for a webinar to introduce the new Splunk App for enterprise Suricata deployments. This webinar will be led by Eric Leblond, the lead developer of the app and a senior developer of Suricata.

Enterprises deploying multiple Suricata sensors need a way to consolidate the logs, events and alerts from those sensors into a “single pane of glass” to efficiently correlate, analyze, search, and gain insights into their overall enterprise network security posture.

Recently, Stamus Networks announced the general availability of its application for Splunk which supports both Suricata sensors and Scirius Security Platform. The app is open source, free, and currently available for download on Splunkbase.

This is a free webinar but seats are limited. To register, go to our EventBrite page: https://www.eventbrite.com/e/suricata-and-splunk-tap-into-the-power-of-suricata-with-the-new-splunk-app-tickets-128175800269?ref=estw

Suricata is recognized as the de facto standard network intrusion detection system (IDS), but it is less well-known for its network security monitoring (NSM) capabilities – which can rival those of other dedicated NSM software. This webinar will highlight both dimensions by demonstrating advanced analytics and anomaly detection from the IDS side and will use Splunk search and dashboards to demonstrate the NSM side which can provide deep insight into your network activity.

What you can expect:

  • Learn the basic capabilities of the Splunk App
  • Explore the benefits of the app through several real-world use cases
  • Gain a greater understanding of both the IDS and NSM capabilities of Suricata
  • Understand the importance of Splunk’s Common Information Model
  • Learn where you can find additional information
  • Q&A with the App’s lead developer

Who should attend:

  • Threat hunters, incident responders and other security practitioners who use Splunk
  • Current Suricata and Splunk users who wish to learn the value of the dedicated app
  • Suricata users who are considering Splunk in their enterprise
  • Enterprise Splunk users considering deploying Suricata in their network

The App provides a powerful set of dashboards and query capabilities. These dashboards include one specifically designed to assist Zeek users in becoming familiar with the advanced Suricata network security monitoring features such as TLS information from SMB or Kerberos activity, HTTP hosts and many other protocol transactions.

Speaker: Éric Leblond

CTO of Stamus Networks, OISF Executive Council Member, and Suricata Senior Developer

Éric is the Chief Technology Officer of Stamus Networks, and the lead developer of the Stamus Networks App for Splunk. He has more than 15 years of experience as co-founder and CTO of cybersecurity software companies and is an active member of the security and open source communities. Since 2009, he has been one of the core developers of Suricata. He is also part of OISF executive council and the Netfilter Core team for the Linux kernel’s firewall layer.

Suricata 6.0.0 released

We are proud to announce Suricata 6.0. This major new release is the result of a year of work by the OISF development team and the Suricata community.

During this development cycle, the focus has been on:

  • stability and robustness
  • performance
  • support for new protocols like HTTP/2, MQTT and RFB
  • improvements to existing protocols DCERPC, SSH
  • extendibility
  • improvements to detection capabilities

Get the release here:
https://www.openinfosecfoundation.org/downloads/suricata-6.0.0.tar.gz

This release comes with libhtp 0.5.35 and Suricata-Update 1.2.0

Power of the community

A lot of the features and improvements have been made by community members:

  • MQTT (Sascha Steinbiss)
  • RFB (Frank Honza)
  • HASSH (Vadym Malakhatko)
  • ASN.1 Rust (Pierre Chifflier and Emmanuel Thompson)
  • cbindgen (Danny Browning)
  • nom 5 conversion (Pierre Chifflier)
  • Napatech bypass support (Phil Young)
  • MAC address logging in EVE (Sascha Steinbiss)
  • Geneve decoder (Ali Jad Khalil)
  • more detailed DNS logging (Simon Dugas)

List of git committers: Pierre Chifflier, Sascha Steinbiss, Emmanuel Thompson, Todd Mortimer, Vadym Malakhatko, Phil Young, Roland Fischer, Simon Dugas, Jason Taylor, Ali Jad Khalil, James Dutrisac, Joshua Lumb, Zach Kelly, Angelo Mirabella, Antti Tönkyrä, Carl Smith, Danny Browning,
Frank Honza, Giuseppe Longo, Ilya Bakhtin, Odin Jenseg, Stephen Donnelly,
Timo Sigurdsson, Tristan Fletcher, William Stearns, Xiaofan Wang,
Zackeus Bengtsson

Other contributors we’d like to especially thank: David Beckett for HTTP/2 testing and pcaps; Bastien Delvalle and Louis Jacotot (Telecom Nancy) for SMB evasion research and testcases.

Notable Optimizations

  • faster EVE log generation using our own Rust language JSON string builder
  • much better EVE log scaling by allowing a log file per thread
  • flow engine improvments – esp when under resource constraints

Securing Suricata

  • ASN1 handling is now entirely done in Rust code
  • DCERPC, SSH have been reimplemented in Rust
  • new protocols have been implemented in Rust
  • many fixes as a result of OSS-Fuzz testing

Rule language

  • from_end support for byte_jump keyword
  • bitmask support for byte_test keyword
  • byte_math support
  • flowbit OR support
  • pcrexform keyword: use pcre with substring capture as a transform
  • urldecode transform was added

For developers

  • Use cbindgen to create Rust-C bindings (Danny Browning)
  • initial plugin support
  • libfuzzer (OSS-Fuzz) support
  • clang-format support (Roland Fischer)

Removals

  • unified2 has been removed
  • filestore v1 has support has been removed
  • drop log

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.9 and 5.0.4 released

We are pleased to announce the releases of Suricata 4.1.9 and 5.0.4.

These are the second releases after Suricata joined the Oss-Fuzz program, leading to discovery of a number of (potential) security issues. We recommend upgrading as soon as possible.

For the 4.1 branch we’re also announcing the EOL date: December 31st, 2020.

Get the releases here:
https://www.openinfosecfoundation.org/download/suricata-5.0.4.tar.gz
https://www.openinfosecfoundation.org/download/suricata-4.1.9.tar.gz

Notable Changes

Libhtp has been updated to 0.5.35
5.0.4: Suricata-Update updated to 1.1.3
5.0.4: Geneve packet decoder was added (disabled by default)
5.0.4: all tickets https://redmine.openinfosecfoundation.org/versions/149
4.1.9: all tickets https://redmine.openinfosecfoundation.org/versions/148

Special Thanks

Oss-Fuzz, Coverity Scan, Ali Jad Khalil, Angelo Mirabella, Antti Tönkyrä, Emmanuel Thompson, Ilya Bakhtin

Free Webinar

Join our Free webinar next week on Suricata and OPNsense: https://www.eventbrite.com/e/webinar-opnsense-and-suricata-a-great-combination-lets-get-started-tickets-117996028297

Past webinar recording can be found in our youtube channel: https://www.youtube.com/c/OISFSuricata

Forums

Join our new Forum at https://forum.suricata.io/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Webinar – OPNsense and Suricata a great combination, let’s get started!

OPNsense is an open source, easy-to-use and easy-to-build HardenedBSD based firewall and routing platform. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. The inline IPS system of OPNsense is based on Suricata and utilizes Netmap to enhance performance and minimize CPU utilization. This deep packet inspection system is very powerful and can be used to mitigate security threats at wire speed. This webinar will take you through basic OPNSense setup before getting into Suricata installation and configuration. You will learn about different modes of operation, IDS versus IPS, and how to utilize the ET Pro Telemetry ruleset. By the end of this webinar you will be ready to run the latest version of Suricata in OPNSense to maximize visibility into your networks!

This is a free webinar but seats are limited. Please join us on 10/15/2020 by registering at: http://www.twitter.com/intent/tweet?text=I+am+attending+https://www.eventbrite.com/e/webinar-opnsense-and-suricata-a-great-combination-lets-get-started-tickets-117996028297?ref=estw

Academic Workshop – Getting Started with Suricata in the Classroom

We are pleased to announce our first academic workshop “Getting Started with Suricata in the Classroom”! This is a free workshop being offered those in an academic position and will require a valid EDU email address. Seats are limited!

Register here -> https://us02web.zoom.us/meeting/register/tZwkdeCgpjotHNNFCOsWHYEGXJW3LN2YbXO1

In this workshop, you will learn how to get started with Suricata to begin teaching it in the classroom or utilizing it for research purposes. Suricata is a free and open source, mature, fast and robust network threat detection engine capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline PCAP processing. Suricata inspects network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. With standard input and output formats like YAML and JSON integrations with tools like existing SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other databases become effortless. You will be provided with a training virtual machine based on the SELKS distribution along with digital copies of all slides and labs/lab guides. By the end of this workshop you will be ready to include Suricata in your course content.

Suricata 6.0.0rc1 ready for testing

We’re excited to announce the first release candidate for Suricata 6.0.

Please help us test this so we can release the final as planned at the end of the month.

Get the release here:
https://www.openinfosecfoundation.org/downloads/suricata-6.0.0-rc1.tar.gz

Major changes since beta1

– Geneve packet decoder was contributed
– DNS parsing and logging of SOA records was contributed
– HTTP parsing can now continue after data gaps
– datasets have been improved and will no longer be considered experimental
– HTTP/2 improvements

For an overview of what beta1 brought, see:
https://suricata-ids.org/2020/08/07/suricata-6-0-0-beta-1-released/

How you can help

We’re looking for feedback on how this release works in your environment. How easy the upgrade is, what performance looks like, etc. Report issues in our tickets or on the forum

Forum

Join our new Forum at https://forum.suricata.io/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Webinar – Releasing Suricata 6.0 RC1 and How You Can Get Involved

The Suricata project has maintained an aggressive release schedule of beta, release candidate and major/minor version releases. With the upcoming release of Suricata 6.0 RC1, it brings with it a wide range of new and exciting features. These features include initial HTTP/2 support, improved EVE logging performance, conditional logging and more. In this webinar, Suricata founder and lead developer Victor Julien will introduce Suricata 6.0 RC1, discuss major changes and the power of the Suricata community. We will also discuss ways in which you can get involved in supporting these releases through testing, documentation and other kinds of feedback.

This is a free webinar but seats are limited. To sign-up, go to: https://www.eventbrite.com/e/releasing-suricata-60-rc1-and-how-you-can-get-involved-tickets-119342646067?ref=estw