Roadmap Development Session at SuriCon

One of the most exciting things of last year’s Suricata User Conference in Barcelona was the road map discussion. For those who weren’t there, this is how it worked: the dev team sat on the stage and explained some of the ideas for next steps in Suricata development. There was a lively discussion between the team and the crowd. Many ideas were thrown in (and out as well). At the end of the session we had a list of wishes and ideas. The dev team did a guestimate of effort on each. Then together we all discussed priorities.

2015_barcelona_suricata_devs

Last year’s list included the following ‘top priority’ ideas:

  • flow bypass: almost done
  • failing better: in progress
  • hyperscan integration: mostly done
  • performance recommendation: needs work
  • default config improvements: mostly done
  • dynamic stream depth: almost done

The result of last year was also NOT doing some work. The group didn’t care much about a binary output for EVE (e.g. bson or similar), so we
avoided spending time on that.

In our survey of the Barcelona conference, we learned that some ppl found this session extremely valuable, but other ppl much less so. For
this reason we’re doing the session on the 3rd & last day of our conference now. If people don’t care much they can skip it and head home
early.

I’m looking very much forward to doing another session like this in DC, so please consider joining us at SuriCon! The session at SuriCon 2.0 will be quite a bit longer too, so we should be able to cover more topics and more ideas. So please join us!

Oh and do bring your wish list!

Register at SuriCon here.

2015_barcelona_awesome-shirts

Suricata 3.1.2 released!

We’re proud to announce Suricata 3.1.2. This release fixes some important issues, so we highly recommend updating.suri-400x400

Changes

  • Feature #1830: support ‘tag’ in eve log
  • Feature #1870: make logged flow_id more unique
  • Feature #1874: support Cisco Fabric Path / DCE
  • Feature #1885: eve: add option to log all dropped packets
  • Feature #1886: dns: output filtering
  • Bug #1849: ICMPv6 incorrect checksum alert if Ethernet FCS is present
  • Bug #1853: fix dce_stub_data buffer
  • Bug #1854: unified2: logging of tagged packets not working
  • Bug #1856: PCAP mode device not found
  • Bug #1858: Lots of TCP ‘duplicated option/DNS malformed request data’ after upgrading from 3.0.1 to 3.1.1
  • Bug #1878: dns: crash while logging sshfp records
  • Bug #1880: icmpv4 error packets can lead to missed detection in tcp/udp
  • Bug #1884: libhtp 0.5.22

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1.2.tar.gz

Special thanks

Kirill Shipulin – Positive Technologies, Christoffer Hallstensen – NTNU Gjøvik, Pedro Marinho – Proofpoint, Tom Decanio – FireEye, Coverity Scan

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. Agenda and speakers are now available, including keynote speakers Ron Gula and Liam Randall. Please see: http://suricon.net/

Training & Support

Need help installing, updating, validating, tuning and extending Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1.1 released!

We’re proud to announce Suricata 3.1.1. This is a bug fix update for the 3.1 stable release.suri-400x400

Changes

  • Feature #1775: Lua: SMTP-support
  • Bug #1419: DNS transaction handling issues
  • Bug #1515: Problem with Threshold.config when using more than one IP
  • Bug #1664: Unreplied DNS queries not logged when flow is aged out
  • Bug #1808: Can’t set thread priority after dropping privileges
  • Bug #1821: Suricata 3.1 fails to start on CentOS6
  • Bug #1839: suricata 3.1 configure.ac says >=libhtp-0.5.5, but >=libhtp-0.5.20 required
  • Bug #1840: –list-keywords and –list-app-layer-protos not working
  • Bug #1841: libhtp 0.5.21
  • Bug #1844: netmap: IPS mode doesn’t set 2nd iface in promisc mode
  • Bug #1845: Crash on disabling a app-layer protocol when it’s logger is still enabled
  • Optimization #1846: af-packet: improve thread calculation logic
  • Optimization #1847: rules: don’t warn on empty files

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1.1.tar.gz

Special thanks

CoverityScan and the Casec Bachelors group: Lauritz Prag Sømme, Levi Tobiassen, Stian Hoel Bergseth, Vinjar Hillestad

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.0.2 released

We are pleased to announce Suricata 3.0.2. The release addresses various issues affecting stability. Libhtp 0.5.20 is bundled.suri-400x400

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.0.2.tar.gz

Special thanks

ANSSI, Stamus Networks, NorCert, AFL project, CoverityScan

Mats Klepsland, Aleksey Katargin, David Diallo

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1 released!

We’re proud to announce Suricata 3.1.suri-400x400

This release brings significant improvements on the performance side:

  • Hyperscan integration for Multi Pattern Matcher and Single Pattern Matcher. If installed, Hyperscan is now the default.
  • Rewrite of the detection engine, simplifying rule grouping. This improves performance, while reducing memory usage and start up time in many scenarios.

Packet capture got a lot of attention:

  • AF_PACKET support for tpacket-v3 (experimental)
  • NETMAP usability improvements, especially on FreeBSD

Config:

  • Reorganised default configuration layout provides for intuitive and easy set up.

This release also comes with libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.

A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.

Other than that, lots of clean ups and optimizations:

  • locking has been much simplified
  • TCP and IPv6 decoder optimizations
  • unittest clean ups
  • AFL fuzz testing options were added

Have a look at the full change log

Changes since 3.1RC1

  • AF_PACKETv2 is the default as v3 is still experimental
  • NFQ runmode workers was fixed

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz

Special thanks

Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan

Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1RC1 is out!

Photo by Eric Leblond

We’re happy to announce Suricata 3.1RC1. The plan is to release the stable within a few weeks, so please help us test this release!

Lots of improvements on the performance side:

  • Hyperscan integration for MPM and SPM. If installed, Hyperscan is now the default. See this guide.
  • Rewrite of the detection engine, simplifying rule grouping. This reduces memory usage and startup time in many scenarios.

Packet capture got a lot of love:

  • AF_PACKET support for tpacketv3
  • NETMAP usability improvements, especially on FreeBSD

A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.

This release also bundles libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.

Other than that, lots of cleanups and optimizations:

  • locking has been much simplified
  • TCP and IPv6 decoder optimizations
  • unittest cleanups
  • AFL fuzzing options were added

Have a look at the full changelog: https://github.com/inliniac/suricata/blob/master/ChangeLog

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1RC1.tar.gz

Special thanks

Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan

Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

Join us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.0.1 released!

suri-400x400

We are pleased to announce Suricata 3.0.1. This release fixes many important issues in 3.0 and upgrading is highly recommended.

Highlights

– fixes for multiple stability issues
– many memory leak fixes
Hyperscan MPM support (experimental)

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-3.0.1.tar.gz

All Changes

For a complete list of closed tickets, please see:

3.0.1RC1 tickets
3.0.1 tickets

When upgrading from 3.0, please see these notes.

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

FireEye, Intel, ANSSI, Emerging Threats / Proofpoint, Stamus Networks,
NorCert, Ntop, Lastline, AFL project, CoverityScan

Justin Viiret, Tom Decanio, Mats Klepsland, Alexander Gozman,
Aleksey Katargin Maurizio Abba, Alessandro Guido, David Diallo,
Giuseppe Longo, Chris Wakelin, Jon Zeolla, Andreas Moe,
Nicolas Thill, Travis Green, bladeswords Alfredo Cardigliano,
Rob Mosher, Andrew Brown, Andre ten Bohmer

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://suricon.net

If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

Please help us test Suricata 3.0.1RC1

suri-400x400

We’re hoping for your feedback on a new release: Suricata 3.0.1RC1. We’ve fixed many issues in 3.0, including important stability issues and memory leaks. A final is expected within a week or so.

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-3.0.1RC1.tar.gz

New Features

– Feature #1535: Expose the certificate itself in TLS-lua
– Feature #1696: improve logged flow_id
– Feature #1700: enable “relro” and “now” in compile options for 3.0
– Feature #1734: gre: support transparent ethernet bridge decoding
– Feature #1740: Create counters for decode-events errors
– updated bundled libhtp to 0.5.19

Fixes

Many issues were fixed, including stability issues and many (potential) memory leaks.
Full list: https://redmine.openinfosecfoundation.org/versions/81

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:
FireEye, ANSSI, Emerging Threats / Proofpoint, Stamus Networks,
NorCert, Ntop, Lastline, AFL project, CoverityScan

Tom Decanio, Mats Klepsland, Alexander Gozman, Aleksey Katargin
Maurizio Abba, Alessandro Guido, David Diallo, Giuseppe Longo
Jon Zeolla, Andreas Moe, Nicolas Thill, Travis Green, bladeswords
Alfredo Cardigliano, Rob Mosher, Andre ten Bohmer

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://suricon.net

If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

Suricata 3.0 Available!

suri-400x400We’re proud to announce Suricata 3.0. This is a major new release improving Suricata on many fronts.

Download

http://www.openinfosecfoundation.org/download/suricata-3.0.tar.gz

Features and Improvements

  • improved detection options, including multi-tenancy and xbits
  • performance and scalability much improved
  • much improved accuracy and robustness
  • Lua scripting capabilities expanded significantly
  • many output improvements, including much more JSON
  • NETMAP capture method support, especially interesting to FreeBSD users
  • SMTP inspection and file extraction

For a full list of features added, please see:
https://redmine.openinfosecfoundation.org/versions/80

Upgrading

Upgrades from 2.0 to 3.0 should be mostly seamless. Here are some notes:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_20_to_Suricata_30

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

FireEye, ProtectWise, ANSSI, Emerging Threats /
Proofpoint, Stamus Networks, Ntop, AFL project, CoverityScan

Aaron Campbell, Aleksey Katargin, Alessandro Guido,
Alexander Gozman, Alexandre Macabies, Alfredo Cardigliano,
Andreas Moe, Anoop Saldanha, Antti Tönkyrä, Bill Meeks,
Darien Huss, David Abarbanel, David Cannings, David Diallo,
David Maciejak, Duarte Silva, Eduardo Arada, Giuseppe Longo,
Greg Siemon, Hayder Sinan, Helmut Schaa, Jason Ish,
Jeff Barber, Ken Steele, lessyv, Mark Webb-Johnson,
Mats Klepsland, Matt Carothers, Michael Rash, Nick Jones,
Pierre Chifflier, Ray Ruvinskiy, Samiux A, Schnaffon,
Stephen Donnelly, sxhlinux, Tom DeCanio, Torgeir Natvig,
Travis Green, Zachary Rasmor

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://oisfevents.net

If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

Suricata 3.0RC3 Available!

Photo by Eric Leblond

We’re happy to announce Suricata 3.0RC3. RC3 fixes a few issues in RC2 that require some more testing. The plan is to release the stable quickly after the holidays, so please help us test this release!

Fixes:

  • Bug #1632: Fail to download large file with browser
  • Bug #1634: Fix non thread safeness of Prelude analyzer
  • Bug #1640: drop log crashes
  • Bug #1645: Race condition in unix manager
  • Bug #1647: FlowGetKey flow-hash.c:240 segmentation fault (master)
  • Bug #1650: DER parsing issue (master)

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.0RC3.tar.gz

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.