Webinar – An Introduction to Writing Suricata Rules with Tatyana Shishkova

This talk will explore the Suricata rule syntax and use interesting parts of network traffic to highlight how to create custom rules. We will also explore keywords, where to find resources and how to avoid false positives.

Register -> https://www.eventbrite.com/e/webinar-an-introduction-to-writing-suricata-rules-with-tatyana-shishkova-tickets-149991351169

Speaker – Tatyana Shishkova

Tatyana is a Senior Malware Analyst specializing in reverse engineering (currently Android platform, previously Windows), threat intelligence and network intrusion detection (Suricata). She speaks at cybersecurity conferences, teach newbies and conduct webinars. She has a Specialist’s degree in Applied Mathematics and Computer Science from Lomonosov Moscow State University.

Webinar – Threat Hunting with Suricata

Our March webinar is just around the corner! In this webinar, we’ll look into how modern threats utilize the network for a variety of activities and explore how the network continues to play a crucial role in the overall security monitoring of an organization. From delivering the malware to initially compromise an environment to bringing in additional tools and performing data exfiltration and command and control, all of this activity leaves traces over the network. We’ll explore how Suricata can go beyond generating alerts to show how you can use capabilities such as file identification and protocol parsing to gain the visibility to solve incidents quickly and more accurately by enabling context before, during, and after an event.

Register -> https://www.eventbrite.com/e/webinar-threat-hunting-with-suricata-tickets-142989789309

Speakers:

Peter Manev – Peter Manev is the co-founder and Chief Strategy Officer (CSO) of Stamus Networks, a growing network security company. He is also a member of the executive team at Open Network Security Foundation (OISF).  Peter has over 15 years of experience in the IT industry, including enterprise-level IT security practice. He is a passionate user, developer and explorer of innovative open source security software.  and is responsible for training as well as quality assurance and testing on the development team of Suricata – the open source threat detection engine. Peter is a regular speaker and educator on open source security, threat hunting, and network security.

Josh Stroschein – Josh is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is the Director of Training for OISF, where he leads all training activity for the foundation and is also responsible for academic outreach and developing research initiatives. Josh is an accomplished trainer, providing training in the aforementioned subject areas at BlackHat, DerbyCon, Toorcon, Hack-In-The-Box, Suricon, and other public and private venues. Josh is an Assistant Professor of Cyber Security at Dakota State University where he teaches malware analysis and reverse engineering, an author on Pluralsight, and a threat researcher for Bromium/HP.

Suricata 6.0.2 and 5.0.6 released

We are pleased to announce the releases of Suricata 6.0.2 and 5.0.6. These releases are bug fix releases, fixing numerous important issues.

Get the releases here:
6.0.2: https://www.openinfosecfoundation.org/download/suricata-6.0.2.tar.gz
5.0.6: https://www.openinfosecfoundation.org/download/suricata-5.0.6.tar.gz

Notable Changes

Libhtp has been updated to 0.5.37
Various performance, accuracy and stability issues have been fixed
Tickets for 5.0.6: https://redmine.openinfosecfoundation.org/versions/164
Tickets for 6.0.2: https://redmine.openinfosecfoundation.org/versions/162

Special Thanks

Oss-Fuzz, Coverity Scan, Ilya Bakhtin, Gianni Tedesco, Ilya Bakhtin, Josh Stroschein, Kirby Kuehl, Sascha Steinbiss

Special shout out to our Outreachy intern Tharushi Jayasekara. She has helped us greatly with her Suricata-Verify improvements in a very successful internship! Thank you Tharushi!

Free Webinar

Join our free webinar “Threat Hunting with Suricata”: https://www.eventbrite.com/e/webinar-threat-hunting-with-suricata-tickets-142989789309

Past webinar recording can be found in our youtube channel: https://www.youtube.com/c/OISFSuricata

Suricon 2021 call for talks and trainings

We’re hopeful that we’ll be able to do an in-person or hybrid event this fall, so submit your talk and/or training!
https://suricon.net/call-for-talks/
https://suricata-ids.org/2021/02/26/suricon-2021-call-for-trainings/

Forums

Join our Forum at https://forum.suricata.io/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

SuriCon 2021 – Call for Trainings

We are pleased to announce our Call for Trainings for SuriCon 2021! SuriCon opens with two days of training prior to the start of the conference. Training submissions should be for either a 1 or 2 day course and should include aspects that are related to Suricata.

You can submit your training proposal at Call for Trainings – SURICON

Important Dates

Call for trainings opens: February 2021
Call for trainings closes: June 4, 2021
Notifications sent out: June 2021

Training Selection Process

The SuriCon training review board consists of members of the Open Information Security Foundation (OISF) and other distinguished members of the information security community. If you have any questions please don’t hesitate to reach out to us at SuriCon@oisf.net.

Webinar – A Beginner’s Guide to Adding New Features to Suricata

Women of Suricata bring you yet another webinar focused on helping new people willing to contribute to Suricata. For this webinar, our two Outreachy interns shall be sharing their experience, some tips, tricks and magic dust to help you get started with the development. Contributing to a big project like Suricata can be very intimidating especially when its open source and all your contributions are in public for everyone to scrunitize. Our speakers stood at the same place and paved their ways forward with baby steps learning and growing a lot all through the process.

Register -> https://www.eventbrite.com/e/webinar-a-beginners-guide-to-adding-new-features-to-suricata-tickets-141028258317?ref=estw

Topics you can expect:

  • How to start contributing
  • How to make best use of existing helper scripts/functions
  • Testing your work
  • Things to take care of when creating first PR
  • How to apply to intern with us through the Outreachy programme
  • Expectations from an intern
  • Challenges and overcoming them

Speakers:

Juliana Fajardini – OISF intern with Suricata. Bachelor’s degree in Information Systems, with a constant passion for learning, sharing and fostering communities, and a growing interest for Rust.

Tharushi Jayasekara – Outreachy intern at OISF. Final year Computer Science undergraduate at University of Colombo, passionate about algorithms, InfoSec and creating a diverse and inclusive community in the world of tech.

Target audience for this webinar are beginners. If you are interested in the above mentioned topics, do sign up!

Hope to see you! 🙂

Webinar – Continuously Fuzzing and Improving Suricata

Our first webinar of 2021 is here! Join Suricata developer Philippe Antoine as he discusses Continuously Fuzzing and Improving Suricata. Learn how fuzzing is implemented and ways it can be improved as a community, leading to more robust and resilient software.

Register -> https://www.eventbrite.com/e/webinar-continuously-fuzzing-and-improving-suricata-tickets-135348225185

This webinar is scheduled for January 21st, 2021 at 10am EST. A video recording will be made available after the webinar concludes and posted to the OISF/Suricata YouTube channel at https://www.youtube.com/channel/UCSpIq33gB7-Rl9NtUGrvHLQ

Virtual Training – Suricata and Splunk Workshops

This two-part workshop is intended to prepare security practitioners to have immediate success with Suricata using the Stamus App for Splunk

Early bird pricing ends Dec 17!
Register here -> https://suricata-splunk-workshop2021.eventbrite.com/?ref=estw

Part 1: In-depth introduction to Suricata data and Splunk

Wednesday 20 January 2021 | 11am-3pm US Eastern Time

Attendees will receive a thorough technical introduction to Suricata data analysis using the Stamus Networks App for Splunk, designed for both Suricata sensors and Stamus Networks probes. Attendees will discover how to view network activity using application layer metadata extracted by Suricata. We will also explore the use of Suricata statistical data to perform sensor health check and assess system performance.

This session will also walk attendees through the various capabilities of the Stamus Networks App for Splunk, including the various dashboards and visualization available. After a brief introduction to the Splunk Processing Language (SPL) in the context of Suricata data, we will describe the EVE format that is used for all Suricata generated events. We will use this knowledge to perform data analysis and explore the visualizations using real-world Suricata data.

Part 2: Threat Hunting and Anomaly Detection with Suricata and Splunk

Thursday, 21 January 2021 | 11am-3pm US Eastern Time

In part 2, attendees will explore threat analysis, threat hunting, and anomaly detection that leverage both the IDS and NSM capabilities of Suricata . Before diving into threat hunting, we will spend time learning simple data queries and ultimately even the most complex queries of the Stamus Networks App for Splunk.

Using packet capture file examples from Malware Traffic Analysis, we will discover how to leverage Splunk to take full-advantage of the Suricata data to detect threats on the network.

* Attendees will have access to Suricata data via a dedicated Splunk instance and will perform hands-on exercises to experiment for themselves.

Who will benefit:

  • Network security administrators
  • Security analysts

Prerequisite knowledge:

  • Basic knowledge of Splunk, including SPL
  • Basic knowledge of Suricata
  • Understanding of Suricata EVE format
  • TCP/IP networking

Suricata 6.0.1, 5.0.5 and 4.1.10 released

We are pleased to announce the releases of Suricata 6.0.1, 5.0.5 and 4.1.10. These releases are bug fix releases, fixing numerous important issues.

The 6.0.1 release also improves the experimental HTTP/2 support.

This will be the last release in the 4.1 series. If you are still on this branch, please upgrade to the 5 or 6 branch as soon as possible to make sure you can stay current on fixes and improvements.

Get the releases here:
6.0.1: https://www.openinfosecfoundation.org/download/suricata-6.0.1.tar.gz
5.0.5: https://www.openinfosecfoundation.org/download/suricata-5.0.5.tar.gz
4.1.10: https://www.openinfosecfoundation.org/download/suricata-4.1.10.tar.gz

Notable Changes

Libhtp has been updated to 0.5.36
6.0.1: http2: support file inspection API #4121
6.0.1: all tickets https://redmine.openinfosecfoundation.org/versions/157
5.0.5: all tickets https://redmine.openinfosecfoundation.org/versions/161
4.1.10: all tickets https://redmine.openinfosecfoundation.org/versions/160

Special Thanks

Oss-Fuzz, Coverity Scan, Ilya Bakhtin, Phil Young, Angelo Mirabella, Danny Browning, Sascha Steinbiss, Sumera Priyadarsini

Free Webinar

Join our free webinar next week on Suricata and Splunk: https://www.eventbrite.com/e/suricata-and-splunk-tap-into-the-power-of-suricata-with-the-new-splunk-app-tickets-128175800269, brought to you in cooperation with Stamus Networks.

Past webinar recording can be found in our youtube channel: https://www.youtube.com/c/OISFSuricata

Forums

Join our Forum at https://forum.suricata.io/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Webinar – Suricata and Splunk: Tap into the Power of Suricata with the new Splunk App

Join OISF and Stamus Networks for a webinar to introduce the new Splunk App for enterprise Suricata deployments. This webinar will be led by Eric Leblond, the lead developer of the app and a senior developer of Suricata.

Enterprises deploying multiple Suricata sensors need a way to consolidate the logs, events and alerts from those sensors into a “single pane of glass” to efficiently correlate, analyze, search, and gain insights into their overall enterprise network security posture.

Recently, Stamus Networks announced the general availability of its application for Splunk which supports both Suricata sensors and Scirius Security Platform. The app is open source, free, and currently available for download on Splunkbase.

This is a free webinar but seats are limited. To register, go to our EventBrite page: https://www.eventbrite.com/e/suricata-and-splunk-tap-into-the-power-of-suricata-with-the-new-splunk-app-tickets-128175800269?ref=estw

Suricata is recognized as the de facto standard network intrusion detection system (IDS), but it is less well-known for its network security monitoring (NSM) capabilities – which can rival those of other dedicated NSM software. This webinar will highlight both dimensions by demonstrating advanced analytics and anomaly detection from the IDS side and will use Splunk search and dashboards to demonstrate the NSM side which can provide deep insight into your network activity.

What you can expect:

  • Learn the basic capabilities of the Splunk App
  • Explore the benefits of the app through several real-world use cases
  • Gain a greater understanding of both the IDS and NSM capabilities of Suricata
  • Understand the importance of Splunk’s Common Information Model
  • Learn where you can find additional information
  • Q&A with the App’s lead developer

Who should attend:

  • Threat hunters, incident responders and other security practitioners who use Splunk
  • Current Suricata and Splunk users who wish to learn the value of the dedicated app
  • Suricata users who are considering Splunk in their enterprise
  • Enterprise Splunk users considering deploying Suricata in their network

The App provides a powerful set of dashboards and query capabilities. These dashboards include one specifically designed to assist Zeek users in becoming familiar with the advanced Suricata network security monitoring features such as TLS information from SMB or Kerberos activity, HTTP hosts and many other protocol transactions.

Speaker: Éric Leblond

CTO of Stamus Networks, OISF Executive Council Member, and Suricata Senior Developer

Éric is the Chief Technology Officer of Stamus Networks, and the lead developer of the Stamus Networks App for Splunk. He has more than 15 years of experience as co-founder and CTO of cybersecurity software companies and is an active member of the security and open source communities. Since 2009, he has been one of the core developers of Suricata. He is also part of OISF executive council and the Netfilter Core team for the Linux kernel’s firewall layer.

Suricata 6.0.0 released

We are proud to announce Suricata 6.0. This major new release is the result of a year of work by the OISF development team and the Suricata community.

During this development cycle, the focus has been on:

  • stability and robustness
  • performance
  • support for new protocols like HTTP/2, MQTT and RFB
  • improvements to existing protocols DCERPC, SSH
  • extendibility
  • improvements to detection capabilities

Get the release here:
https://www.openinfosecfoundation.org/downloads/suricata-6.0.0.tar.gz

This release comes with libhtp 0.5.35 and Suricata-Update 1.2.0

Power of the community

A lot of the features and improvements have been made by community members:

  • MQTT (Sascha Steinbiss)
  • RFB (Frank Honza)
  • HASSH (Vadym Malakhatko)
  • ASN.1 Rust (Pierre Chifflier and Emmanuel Thompson)
  • cbindgen (Danny Browning)
  • nom 5 conversion (Pierre Chifflier)
  • Napatech bypass support (Phil Young)
  • MAC address logging in EVE (Sascha Steinbiss)
  • Geneve decoder (Ali Jad Khalil)
  • more detailed DNS logging (Simon Dugas)

List of git committers: Pierre Chifflier, Sascha Steinbiss, Emmanuel Thompson, Todd Mortimer, Vadym Malakhatko, Phil Young, Roland Fischer, Simon Dugas, Jason Taylor, Ali Jad Khalil, James Dutrisac, Joshua Lumb, Zach Kelly, Angelo Mirabella, Antti Tönkyrä, Carl Smith, Danny Browning,
Frank Honza, Giuseppe Longo, Ilya Bakhtin, Odin Jenseg, Stephen Donnelly,
Timo Sigurdsson, Tristan Fletcher, William Stearns, Xiaofan Wang,
Zackeus Bengtsson

Other contributors we’d like to especially thank: David Beckett for HTTP/2 testing and pcaps; Bastien Delvalle and Louis Jacotot (Telecom Nancy) for SMB evasion research and testcases.

Notable Optimizations

  • faster EVE log generation using our own Rust language JSON string builder
  • much better EVE log scaling by allowing a log file per thread
  • flow engine improvments – esp when under resource constraints

Securing Suricata

  • ASN1 handling is now entirely done in Rust code
  • DCERPC, SSH have been reimplemented in Rust
  • new protocols have been implemented in Rust
  • many fixes as a result of OSS-Fuzz testing

Rule language

  • from_end support for byte_jump keyword
  • bitmask support for byte_test keyword
  • byte_math support
  • flowbit OR support
  • pcrexform keyword: use pcre with substring capture as a transform
  • urldecode transform was added

For developers

  • Use cbindgen to create Rust-C bindings (Danny Browning)
  • initial plugin support
  • libfuzzer (OSS-Fuzz) support
  • clang-format support (Roland Fischer)

Removals

  • unified2 has been removed
  • filestore v1 has support has been removed
  • drop log

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.