Suricata 4.0.0-beta1 ready for testing!

suri-400x400

We are proud to announce that the first release for the upcoming Suricata 4.0.0-beta1 is ready for testing.

This release features our first experimental steps into using the Rust language for creating safer and easier to develop parsers. Inspired by Pierre Chiffliers talk at SuriCon 2016 (pdf). This initial integration does not yet include Pierre’s work, but this will likely change in the near future.
By compiling with –enable-rust you’ll get a basic NFSv3 parser and reimplementation of the DNS parser. Feedback on this is highly appreciated.

A major new feature is support for STARTTLS in SMTP and FTP. TLS sessions will now be logged in these cases. Decoding, logging and matching on TLS sertial numbers was also added. Great work by Mats Klepsland. Also for TLS, session resumption logging is now supported thanks to the work of Ray Ruvinskiy. TLS logging was improved by Paulo Pacheco.

Lots of new HTTP detection options were added to make matching on specific header fields easier and more efficient. New SSH keywords that are fast_pattern capable have also been added. For developers, this release makes extending the detection engine a lot easier.

A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode.

EVE is extended in several ways: in the case of encapsulated traffic both the inner and outer ip addresses and ports are logged. The ‘vars’ facility logs flowbits and other vars. This can also be used to extract data from the traffic using PCRE, and then log it. EVE can also be rotated based on time.

David Wharton has created a section in the documentation for rule writers who have a background in Snort. It documents changes that are relevant for writing rules.

Paulo Pacheco has been improving the Redis output performance.

Note that this release finally drops support for CentOS 5, and for libpcap 0.x with it.

Changes

  • Feature #805: Add support for applayer change
  • Feature #806: Implement STARTTLS support
  • Feature #1636: Signal rotation of unified2 log file without restart
  • Feature #1953: lua: expose flow_id
  • Feature #1969: TLS transactions with session resumption are not logged
  • Feature #1978: Using date in logs name
  • Feature #1998: eve.tls: custom TLS logging
  • Feature #2006: tls: decode certificate serial number
  • Feature #2011: eve.alert: print outside IP addresses on alerts on traffic inside tunnels
  • Feature #2046: Support custom file permissions per logger
  • Feature #2061: lua: get timestamps from flow
  • Feature #2077: Additional HTTP Header Contents and Negation
  • Feature #2129: nfs: parser, logger and detection
  • Feature #2130: dns: rust parser with stateless behaviour
  • Feature #2132: eve: flowbit and other vars logging
  • Feature #2133: unix socket: add/remove hostbits
  • Bug #1335: suricata option –pidfile overwrites any file
  • Bug #1470: make install-full can have race conditions on OSX.
  • Bug #1759: CentOS5 EOL tasks
  • Bug #2037: travis: move off legacy support
  • Bug #2039: suricata stops processing when http-log output via unix_stream backs up
  • Bug #2041: bad checksum 0xffff
  • Bug #2044: af-packet: faulty VLAN handling in tpacket-v3 mode
  • Bug #2045: geoip: compile warning on CentOS 7
  • Bug #2049: Empty rule files cause failure exit code without corresponding message
  • Bug #2051: ippair: xbit unset memory leak
  • Bug #2053: ippair: pair is direction sensitive
  • Bug #2070: file store: file log / file store mismatch with multiple files
  • Bug #2072: app-layer: fix memleak on bad traffic
  • Bug #2078: http body handling: failed assertion
  • Bug #2088: modbus: clang-4.0 compiler warnings
  • Bug #2093: Handle TCP stream gaps.
  • Bug #2097: “Name of device should not be null” appears in suricata.log when using pfring with configuration from suricata.yaml
  • Bug #2098: isdataat: fix parsing issue with leading spaces
  • Bug #2108: pfring: errors when compiled with asan/debug
  • Bug #2111: doc: links towards http_header_names
  • Bug #2112: doc: links towards certain http_ keywords not working
  • Bug #2113: Race condition starting Unix Server
  • Bug #2118: defrag – overlap issue in linux policy
  • Bug #2125: ASAN SEGV – Suricata version 4.0dev (rev 922a27e)
  • Optimization #521: Introduce per stream thread segment pool
  • Optimization #1873: Classtypes missing on decoder-events,files, and stream-events

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.0-beta1.tar.gz

Special thanks

Mats Klepsland – for his major contributions: many EVE and TLS features

Pierre Chifflier – for paving the way for the Rust experiment and being very helpful while learning Rust and Nom.

Additionally: Jérémy Beaume, Alexander Gozman, Paulo Pacheco, Ray Ruvinskiy, Peter Sanders, David Wharton, Jon Zeolla

Trainings

SuriCon 2017

Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be in November in Prague: https://suricon.net

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.2.2 available!

suri-400x400

We are pleased to announce Suricata 3.2.2. This release fixes a fairly small number of issues.

It also improves the unix-socket runmode by allowing both ‘single’ and ‘autofp’ runmodes to be specified.

Changes

  • Feature #1675: Support additional runmodes for unix-socket
  • Bug #2043: 3.2.x backport: make install-full can have race conditions on OSX.
  • Bug #2047: af-packet: faulty VLAN handling in tpacket-v3 mode (3.2.x)
  • Bug #2048: bad checksum 0xffff (3.2.x)
  • Bug #2052: ippair: xbit unset memory leak (3.2.x)
  • Bug #2071: file store: file log / file store mismatch with multiple files (3.2.x)
  • Bug #2073: app-layer: fix memleak on bad traffic (3.2.x)
  • Bug #2079: http body handling: failed assertion (3.2.x)
  • Bug #2085: ippair: pair is direction sensitive (3.2.x)
  • Bug #2119: 3.2.x – defrag – overlap issue in linux policy
  • Bug #2122: unix socket: race condition on start up (3.2.x)

Download

https://www.openinfosecfoundation.org/download/suricata-3.2.2.tar.gz

Special thanks

Jérémy Beaume, Alexander Gozman, Zoltan Herczeg and Jon Zeolla

Trainings

SuriCon 2017

Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be in November in Prague: https://suricon.net

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.2.1 available!

suri-400x400

We’re pleased to announce Suricata 3.2.1. This release features a large number of improvements and fixes over the 3.2 release.
Most importantly it fixes a IPv4 defrag issue that allows evasion of detection and logging. Found and reported by Jérémy Beaume.

Changes

  • Feature #1951: Allow building without libmagic/file
  • Feature #1972: SURICATA ICMPv6 unknown type 143 for MLDv2 report
  • Feature #2010: Suricata should confirm SSSE3 presence at runtime when built with Hyperscan support
  • Bug #467: compilation with unittests & debug validation
  • Bug #1780: VLAN tags not forwarded in afpacket inline mode
  • Bug #1827: Mpm AC fails to alloc memory
  • Bug #1843: Mpm Ac: int overflow during init
  • Bug #1887: pcap-log sets snaplen to -1
  • Bug #1946: can’t get response info in some situation
  • Bug #1973: suricata fails to start because of unix socket
  • Bug #1975: hostbits/xbits memory leak
  • Bug #1982: tls: invalid record event triggers on valid traffic
  • Bug #1984: http: protocol detection issue if both sides are malformed
  • Bug #1985: pcap-log: minor memory leaks
  • Bug #1987: log-pcap: pcap files created with invalid snaplen
  • Bug #1988: tls_cert_subject bug
  • Bug #1989: SMTP protocol detection is case sensitive
  • Bug #1991: Suricata cannot parse ports: “![1234, 1235]”
  • Bug #1997: tls-store: bug that cause Suricata to crash
  • Bug #2001: Handling of unsolicited DNS responses.
  • Bug #2003: BUG_ON body sometimes contains side-effectual code
  • Bug #2004: Invalid file hash computation when force-hash is used
  • Bug #2005: Incoherent sizes between request, capture and http length
  • Bug #2007: smb: protocol detection just checks toserver
  • Bug #2008: Suricata 3.2, pcap-log no longer works due to timestamp_pattern PCRE
  • Bug #2009: Suricata is unable to get offloading settings when run under non-root
  • Bug #2012: dns.log does not log unanswered queries
  • Bug #2017: EVE Log Missing Fields
  • Bug #2019: IPv4 defrag evasion issue
  • Bug #2022: dns: out of bound memory read

Download

https://www.openinfosecfoundation.org/download/suricata-3.2.1.tar.gz

Special thanks

Jérémy Beaume, Mats Klepsland, Sascha Steinbiss, Alexander Gozman, Peter Sanders, Travis Green, AFL, CoverityScan

Training & Support

The next user training will be at the Troopers17 conference in Germany, March 20 and 21. Sign up at https://www.troopers.de/events/troopers17/734_suricata_world-class_and_open_source/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1.4 available!

suri-400x400

We’re pleased to announce Suricata 3.1.4. The most important fix is for a IPv4 defrag issue that allows evasion of detection and logging, found and reported by Jérémy Beaume. Otherwise this release is mostly a collection of smaller fixes.

Download

https://www.openinfosecfoundation.org/download/suricata-3.1.4.tar.gz

Changes

  • Bug #2024: No error on missing semicolon between depth and classtype (3.1.x)
  • Bug #2025: hostbits/xbits memory leak (3.1.x)
  • Bug #2026: log-pcap: pcap files created with invalid snaplen (3.1.x)
  • Bug #2027: BUG_ON body sometimes contains side-effectual code (3.1.x)
  • Bug #2028: Mpm Ac: int overflow during init (3.1.x)
  • Bug #2029: EVE Log Missing Fields (3.1.x)
  • Bug #2030: Incoherent sizes between request, capture and http length (master 3.1.x)
  • Bug #2031: tls-store: bug that cause Suricata to crash (3.1.x)
  • Bug #2032: VLAN tags not forwarded in afpacket inline mode (3.1.x)
  • Bug #2033: IPv4 defrag evasion issue (3.1.x)

Special thanks

Jérémy Beaume, Alexander Gozman, Mats Klepsland, Sascha Steinbiss, Tom DeCanio, AFL, Coverity Scan

Training & Support

The next user training will be at the Troopers17 conference in Germany, March 20 and 21. Sign up at https://www.troopers.de/events/troopers17/734_suricata_world-class_and_open_source/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.2 available!

suri-400x400
The OISF and Suricata development team is really proud to announce the availability of Suricata 3.2. This was a real community effort with 12 different contributors from 9 different countries that added to the work of Suricata core team. Thanks a lot for these contributions!

Suricata 3.2 comes with some new features that can help a Meerkat to stay awake when on a guard watch. The support of industrial networks has been greatly improved with the addition of two new protocols, DNP3 and CIP/ENIP. But we can’t forget the improvements on the TLS side with new fields available for matching and logging such as certificate validity dates. On file matching and logging, it is now possible to use SHA1/SHA256 in addition to the obsolete MD5.

On the performance side, Suricata 3.2 run as fast as a Cheetah with the addition of the bypass mechanism that can help to fix the challenging Elephant flows. Another big improvement comes from the pre-filter system that allows packet inspecting keywords to be much faster.

Documentation has received a huge overhaul, with PDF and other formats now available: http://suricata.readthedocs.io/en/suricata-3.2/

On usability side, one can note that incompatible NIC offloading is now switched off by default. Also, the unix command socket is now enabled by default.

For those of you into lists, here you are:

Big changes

  • bypass
  • pre-filter — fast packet keywords
  • TLS improvements
  • SCADA/ICS protocol additions: DNP3 CIP/ENIP
  • SHA1/SHA256 for file matching, logging & extraction
  • Sphinx documentation

Visible smaller changes

  • NIC offloading disabled by default
  • unix command socket enabled by default
  • App Layer stats

Under the hood

  • threading simplification (log api + no more thread restarts)
  • flow manager optimization
  • simplify adding keywords
  • luajit improvements wrt memory handling in large deployments

Download

https://www.openinfosecfoundation.org/download/suricata-3.2.tar.gz

Special thanks

Stamus Networks, NorCert, Solana Networks, FireEye, Proofpoint, CoverityScan

Mats Klepsland, Giuseppe Longo, Duarte Silva, Tom Decanio, Kevin Wong, Nicolas Thill, Duarte Silva, Thomas Andrejak, Paulo Pacheco, Priit Laes, Alexander Gozman

Training & Support

Need help installing, updating, validating and tuning Suricata? OISF organizes regular user and developer training sessions. Keep an eye on https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.2RC1 ready for testing

We’re happy to announce Suricata 3.2RC1. The biggest addition to this release is the DNP3 support. We don’t expect many changes after this release candidate, so please help us test it!

Get the release here:

https://www.openinfosecfoundation.org/download/suricata-3.2RC1.tar.gz

High level changes

  • Feature #1745: DNP3 protocol support.
  • Feature #1906: doc: install man page and ship pdf
  • Feature #1916: lua: add an SCPacketTimestamp function
  • Feature #1867: rule compatibility: flow:not_established not supported.
  • Bug #1525: Use pkg-config for libnetfilter_queue
  • Bug #1690: app-layer-proto negation issue
  • Bug #1909: libhtp 0.5.23
  • Bug #1914: file log always shows stored: no even if file is stored
  • Bug #1917: nfq: bypass SEGV
  • Bug #1919: filemd5: md5-list does not allow comments any more
  • Bug #1923: dns – back to back requests results in loss of response
  • Bug #1928: flow bypass leads to memory errors
  • Bug #1931: multi-tenancy fails to start
  • Bug #1932: make install-full does not install tls-events.rules
  • Bug #1935: Check redis reply in non pipeline mode
  • Bug #1936: Can’t set fast_pattern on tls_sni content

Special thanks

Nicolas Thill, Duarte Silva, Thomas Andrejak, Paulo Pacheco, Priit Laes, CoverityScan

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. Agenda and speakers are now available, including keynote speakers Ron Gula and Liam Randall. Please see: http://suricon.net/

Training & Support

Need help installing, updating, validating, tuning and extending Suricata? We have a training session coming up at SuriCon: November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/ Conference attendees get a 20% discount!

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1.3 released!

We’re proud to announce Suricata 3.1.3. This release improves DNS logging accuracy. Other than that it is mostly a collection of smaller fixes.This release fixes some important issues, so we highly recommend updating.suri-400x400

Changes

  • Bug #1861: Suricata with multitenancy does not start in 3.1/3.1.1
  • Bug #1889: Suricata doesn’t error on missing semicolon
  • Bug #1910: libhtp 0.5.23 (3.1.x)
  • Bug #1912: http.memcap reached condition can lead to dead lock
  • Bug #1913: af-packet fanout detection broken on Debian Jessie
  • Bug #1933: unix-command socket created with last character missing (3.1.x)
  • Bug #1934: make install-full does not install tls-events.rules (3.1.x)
  • Bug #1941: Can’t set fast_pattern on tls_sni content (3.1.x)
  • Bug #1942: dns – back to back requests results in loss of response (3.1.x)
  • Bug #1943: Check redis reply in non pipeline mode (3.1.x)

Get the release here:

https://www.openinfosecfoundation.org/download/suricata-3.1.3.tar.gz

Special thanks

Paulo Pacheco, Coverity Scan

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. Agenda and speakers are now available, including keynote speakers Ron Gula and Liam Randall. Please see: http://suricon.net/

Training & Support

Need help installing, updating, validating, tuning and extending Suricata? There is a training November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.2beta1 ready for testing

We’re happy to announce Suricata 3.2beta1. The plan is to release a release candidate within a few weeks, so please help us test this release!

This release includes a large detection engine rewrite that should make it much easier to extend Suricata with new keywords.

We’ve also converted the user guide to sphinx. Lots of work still to be done, but for a preview check http://suricata.readthedocs.io/en/latest/

Get the release here:

https://www.openinfosecfoundation.org/download/suricata-3.2beta1.tar.gz

High level changes

  • Feature #509: add SHA1 and SHA256 checksum support for files
  • Feature #1231: ssl_state negation support
  • Feature #1345: disable NIC offloading by default
  • Feature #1373: Allow different reassembly depth for filestore rules
  • Feature #1495: EtherNet/IP and CIP support
  • Feature #1583: tls: validity fields (notBefore and notAfter)
  • Feature #1657: Per application layer stats
  • Feature #1896: Reimplement tls.subject and tls.isserdn
  • Feature #1903: tls: tls_cert_valid and tls_cert_expired keywords
  • Feature #1907: http_request_line and http_response_line

Special thanks

Stamus Networks, NorCert, Solana Networks, CoverityScan
Mats Klepsland, Giuseppe Longo, Duarte Silva, Tom Decanio, Kevin Wong

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. Agenda and speakers are now available, including keynote speakers Ron Gula and Liam Randall. Please see: http://suricon.net/

Training & Support

Need help installing, updating, validating, tuning and extending Suricata? We have a training session coming up at SuriCon: November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/ Conference attendees get a 20% discount!

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Roadmap Development Session at SuriCon

One of the most exciting things of last year’s Suricata User Conference in Barcelona was the road map discussion. For those who weren’t there, this is how it worked: the dev team sat on the stage and explained some of the ideas for next steps in Suricata development. There was a lively discussion between the team and the crowd. Many ideas were thrown in (and out as well). At the end of the session we had a list of wishes and ideas. The dev team did a guestimate of effort on each. Then together we all discussed priorities.

2015_barcelona_suricata_devs

Last year’s list included the following ‘top priority’ ideas:

  • flow bypass: almost done
  • failing better: in progress
  • hyperscan integration: mostly done
  • performance recommendation: needs work
  • default config improvements: mostly done
  • dynamic stream depth: almost done

The result of last year was also NOT doing some work. The group didn’t care much about a binary output for EVE (e.g. bson or similar), so we
avoided spending time on that.

In our survey of the Barcelona conference, we learned that some ppl found this session extremely valuable, but other ppl much less so. For
this reason we’re doing the session on the 3rd & last day of our conference now. If people don’t care much they can skip it and head home
early.

I’m looking very much forward to doing another session like this in DC, so please consider joining us at SuriCon! The session at SuriCon 2.0 will be quite a bit longer too, so we should be able to cover more topics and more ideas. So please join us!

Oh and do bring your wish list!

Register at SuriCon here.

2015_barcelona_awesome-shirts

Suricata 3.1.2 released!

We’re proud to announce Suricata 3.1.2. This release fixes some important issues, so we highly recommend updating.suri-400x400

Changes

  • Feature #1830: support ‘tag’ in eve log
  • Feature #1870: make logged flow_id more unique
  • Feature #1874: support Cisco Fabric Path / DCE
  • Feature #1885: eve: add option to log all dropped packets
  • Feature #1886: dns: output filtering
  • Bug #1849: ICMPv6 incorrect checksum alert if Ethernet FCS is present
  • Bug #1853: fix dce_stub_data buffer
  • Bug #1854: unified2: logging of tagged packets not working
  • Bug #1856: PCAP mode device not found
  • Bug #1858: Lots of TCP ‘duplicated option/DNS malformed request data’ after upgrading from 3.0.1 to 3.1.1
  • Bug #1878: dns: crash while logging sshfp records
  • Bug #1880: icmpv4 error packets can lead to missed detection in tcp/udp
  • Bug #1884: libhtp 0.5.22

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1.2.tar.gz

Special thanks

Kirill Shipulin – Positive Technologies, Christoffer Hallstensen – NTNU Gjøvik, Pedro Marinho – Proofpoint, Tom Decanio – FireEye, Coverity Scan

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. Agenda and speakers are now available, including keynote speakers Ron Gula and Liam Randall. Please see: http://suricon.net/

Training & Support

Need help installing, updating, validating, tuning and extending Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.