Virtual Training – Advanced Deployment and Architecture with Suricata

We are excited to announce Advanced Deployment and Architecture as a live, virtual training!

Details/registration: https://www.eventbrite.com/e/virtual-training-advanced-deployment-and-configuration-with-suricata-tickets-110794401036

This course will go in-depth in Suricata configuration and deployment considerations. You will learn which capture method is best for traffic acquisition, maximizing performance with runmodes and dive deep into Suricata’s detection engine and multi-pattern matchers. Discover how to expand Suricata’s detection and output capabilities with Lua scripting as well as anomaly detection and file extraction capabilities. Gain a deeper understanding of performance and tuning considerations through CPU affinity, Numa, threading and NIC RSS hashing. Alongside that understand specifics about deployments the cloud and the pros and cons of those. Details of what and how needs to be in place for the cloud security monitoring. Learn how to perform effective and exhaustive troubleshooting when situations like packet loss and system overloading occur. Finally, learn how to handle elephant flows, work with eXpress Data Path, how output generation affects your deployment and how to integrate Suricata with other tools such as an ELK stack, Splunk and other Linux-based distributions such as SELKS. This class also offers a unique opportunity to bring in-depth use cases, questions, challenges, and new ideas directly to the Suricata team. Take your deployment and configuration skills to an expert level with Suricata Advanced Deployment and Architecture!

Early bird pricing ends July 17th!

Webinar – Correlating Host & Network Data w/ Community ID in Sec Onion Hybrid Hunter

Modern security monitoring applications generate a considerable amount of data, making it essential for the analyst to be able to quickly pivot between different data sets. In this webinar, Correlating Host & Network Data w/ Community ID in Sec Onion Hybrid Hunter, we will show you how to use Community ID to quickly correlate events from the network to your hosts. Utilizing the next major version of Security Onion, code-named Hybrid Hunter, you will learn how Community ID can be used to correlate network flows from tools such as Suricata and Zeek with host-based events from osquery. This will allow you to more effectively pivot between your network and host data. By the end of this webinar you’ll have the insight needed to leverage Community ID to perform more effective analysis of your security logs.

This is a free webinar but seats are limited. To sign-up, go to:
https://www.eventbrite.com/e/correlating-host-network-data-w-community-id-in-sec-onion-hybrid-hunter-tickets-106774641828

Suricata 5.0.3 released

We are pleased to announce the release of Suricata 5.0.3. This is a larger than usual point release, with a number of important fixes.

This is the first release after Suricata joined the Oss-Fuzz program, leading to discovery of a number of (potential) security issues. We expect that in the coming months we’ll fix more such issues, as the fuzzers increase their coverage and we continue to improve the seed corpus.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-5.0.3.tar.gz

Changes

  • Feature #3481: GRE ERSPAN Type 1 Support
  • Feature #3613: Teredo port configuration
  • Feature #3673: datasets: add ‘dataset-remove’ unix command
  • Bug #3240: Dataset hash-size or prealloc invalid value logging
  • Bug #3241: Dataset reputation invalid value logging
  • Bug #3342: Suricata 5.0 crashes while parsing SMB data
  • Bug #3450: signature with sticky buffer with subsequent pcre check in a different buffer loads but will never match
  • Bug #3491: Backport 5 BUG_ON(strcasecmp(str, “any”) in DetectAddressParseString
  • Bug #3507: rule parsing: memory leaks
  • Bug #3526: 5.0.x Kerberos vulnerable to TCP splitting evasion
  • Bug #3534: Skip over ERF_TYPE_META records
  • Bug #3552: file logging: complete files sometimes marked ‘TRUNCATED’
  • Bug #3571: rust: smb compile warnings
  • Bug #3573: TCP Fast Open – Bypass of stateless alerts
  • Bug #3574: Behavior for tcp fastopen
  • Bug #3576: Segfault when facing malformed SNMP rules
  • Bug #3577: SIP: Input not parsed when header values contain trailing spaces
  • Bug #3580: Faulty signature with two threshold keywords does not generate an error and never match
  • Bug #3582: random failures on sip and http-evader suricata-verify tests
  • Bug #3585: htp: asan issue
  • Bug #3592: Segfault on SMTP TLS
  • Bug #3598: rules: memory leaks in pktvar keyword
  • Bug #3600: rules: bad address block leads to stack exhaustion
  • Bug #3602: rules: crash on ‘internal’-only keywords
  • Bug #3604: rules: missing ‘consumption’ of transforms before pkt_data would lead to crash
  • Bug #3606: rules: minor memory leak involving pcre_get_substring
  • Bug #3609: ssl/tls: ASAN issue in SSLv3ParseHandshakeType
  • Bug #3610: defrag: asan issue
  • Bug #3612: rules/bsize: memory issue during parsing
  • Bug #3614: build-info and configure wrongly display libnss status
  • Bug #3644: Invalid memory read on malformed rule with Lua script
  • Bug #3646: rules: memory leaks on failed rules
  • Bug #3649: CIDR Parsing Issue
  • Bug #3651: FTP response buffering against TCP stream
  • Bug #3653: Recursion stack-overflow in parsing YAML configuration
  • Bug #3660: Multiple DetectEngineReload and bad insertion into linked list lead to buffer overflow
  • Bug #3665: FTP: Incorrect ftp_memuse calculation.
  • Bug #3667: Signature with an IP range creates one IPOnlyCIDRItem by signe IP address
  • Bug #3669: Rules reload with Napatech can hang Suricata UNIX manager process
  • Bug #3672: coverity: data directory handling issues
  • Bug #3674: Protocol detection evasion by packet splitting
  • Optimization #3406: filestore rules are loaded without warning when filestore is not enabled
  • Task #3478: libhtp 0.5.33
  • Task #3514: SMTP should place restraints on variable length items (e.g., filenames)
  • Documentation #3543: doc: add ipv4.hdr and ipv6.hdr
  • Bundled libhtp 0.5.33
  • Bundled Suricata-Update 1.1.2

Special thanks

Oss-Fuzz, Coverity Scan, Sascha Steinbiss, Stephen Donnelly, Jason Taylor

Free Webinar

Join our Free webinar on Hunting Threats in Encrypted traffic: https://suricata-ids.org/2020/04/14/webinar-hunting-threats-that-use-encrypted-network-traffic-with-suricata/

Forums

Join our new Forum at https://forum.suricata.io/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.8 released

We’re pleased to announce the release of Suricata 4.1.8. This is a larger than usual point release, with a number of important fixes.

This is the first release after Suricata joined the Oss-Fuzz program, leading to discovery of a number of (potential) security issues. We expect that in the coming months we’ll fix more such issues, as the fuzzers increase their coverage and we continue to improve the seed corpus.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.8.tar.gz

As announced last month, we’re keeping the 4.1 branch supported longer than originally planned. See: https://suricata-ids.org/2020/03/25/suricata-4-1-eol-update-support-extended/

Changes

  • Bug #3492: Backport 4 BUG_ON(strcasecmp(str, “any”) in DetectAddressParseString
  • Bug #3508: rule parsing: memory leaks
  • Bug #3527: 4.1.x Kerberos vulnerable to TCP splitting evasion
  • Bug #3533: Skip over ERF_TYPE_META records
  • Bug #3551: file logging: complete files sometimes marked ‘TRUNCATED’
  • Bug #3572: rust: smb compile warnings
  • Bug #3579: Faulty signature with two threshold keywords does not generate an error and never match
  • Bug #3581: random failures on sip and http-evader suricata-verify tests
  • Bug #3596: ftp: asan detects leaks of expectations
  • Bug #3599: rules: memory leaks in pktvar keyword
  • Bug #3601: rules: bad address block leads to stack exhaustion
  • Bug #3603: rules: crash on ‘internal’-only keywords
  • Bug #3605: rules: missing ‘consumption’ of transforms before pkt_data would lead to crash
  • Bug #3607: rules: minor memory leak involving pcre_get_substring
  • Bug #3608: ssl/tls: ASAN issue in SSLv3ParseHandshakeType
  • Bug #3611: defrag: asan issue
  • Bug #3633: file-store.stream-depth not working as expected when configured to a specfic value (4.1.x)
  • Bug #3645: Invalid memory read on malformed rule with Lua script
  • Bug #3647: rules: memory leaks on failed rules
  • Bug #3648: CIDR Parsing Issue
  • Bug #3650: FTP response buffering against TCP stream
  • Bug #3652: Recursion stack-overflow in parsing YAML configuration
  • Bug #3659: Multiple DetectEngineReload and bad insertion into linked list lead to buffer overflow
  • Bug #3666: FTP: Incorrect ftp_memuse calculation.
  • Bug #3668: Signature with an IP range creates one IPOnlyCIDRItem by signe IP address
  • Bug #3671: Protocol detection evasion by packet splitting
  • Bug #3676: Segfault on SMTP TLS
  • Feature #3482: GRE ERSPAN Type 1 Support
  • Task #3479: libhtp 0.5.33 (4.1.x)
  • Task #3513: SMTP should place restraints on variable length items (e.g., filenames)
  • Bundled libhtp 0.5.33
  • Bundled Suricata-Update 1.0.7

Special thanks

Oss-Fuzz, Coverity Scan, Giuseppe Longo, Stephen Donnelly

Free Webinar

Join our Free webinar on Hunting Threats in Encrypted traffic: https://suricata-ids.org/2020/04/14/webinar-hunting-threats-that-use-encrypted-network-traffic-with-suricata/

Forums

Join our new Forum at https://forum.suricata.io/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Webinar – Hunting Threats That Use Encrypted Network Traffic with Suricata

In February 2020, Let’s Encrypt announced that they had issued a billion certificates. This is a sign of how encryption for network traffic has continued to gain adoption among regular individuals as well as among malicious actors. Decryption of this traffic may look at first as the solution to recover the lost visibility but it is not always an option because of privacy consideration or even technical reason. In this webinar, we’ll discuss several approaches to analyze encrypted network traffic with Suricata. We will look at Suricata’s JA3/JA3S support, TLS/SSL and newest protocol anomaly detection capabilities. By the end of this webinar you’ll have the insight needed to leverage Suricata to perform more effective analysis of encrypted network traffic.

This is a free webinar but seats are limited. To sign-up, go to https://www.eventbrite.com/e/webinar-hunting-threats-that-use-encrypted-network-traffic-with-suricata-tickets-102612647190

Suricata 4.1 EOL update: support extended

Just a quick note that we’re planning to keep the 4.1 branch supported until at least the end of the year. We understand that lots of organizations are going through various levels of disruption currently.

Normally we’d announce the EOL date for 4.1 right about now, but we understand that upgrades like this may not be a priority in your organization, or that the risk of causing service disruptions is considered too high in the current situation.

As the end of 2020 nears we’ll provide another update on our 4.1 plans.

5.0, our current stable branch, will naturally be supported as well.

Work on the upcoming 6.0 is progressing nicely. The Suricata Dev team is already a virtual team with most of us routinely working from home, so disruption for us has so far been minimal.

Stay healthy!

Suricata Hosting Two Training Sessions at SharkFest’20 US

Mark your calendars! This July, Suricata will be in Kansas City, MO at SharkFest’20 US, hosting two intense, 90 minute crash courses on intrusion analysis/threat hunting and signature development.

The first training, Practical Signature Development for Open Source IDS, focuses on expert methods and techniques for writing network signatures to efficiently hunt and detect the greatest and most common threats facing organizations today. In addition to Suricata, we’ll utilize leading open source security tools, specifically WireShark, to teach traffic analysis fundamentals, custom signature writing and how to test your signatures for accuracy and performance.

Suricata experts with real-world experience in customizing and tailoring the solution to identify and hunt threats will equip you with the ability to analyze and interpret hostile network traffic to create agile rules for detection and mitigation.

Attendees of the second session, Intrusion Analysis and Threat Hunting with Suricata, will learn how to dig deep into network traffic to uncover key evidence of a compromise has occurred, identify new forms of attack and develop the skills necessary to proactively search for Indicators of Compromise and evidence of new breaches. The course will also explore key phases of adversary tactics and techniques from delivery mechanisms to post-infection traffic and data exfiltration, offering a true hands-on analysis experience.

Join us at SharkFest’20 US and maximize your open-source capabilities with Suricata.

For more information on the conference, visit https://sharkfestus.wireshark.org/

Announcing forum.suricata.io

We’re happy to announce that for Suricata we’re going to trial a Discourse setup. Discourse is a “place for civilized discussion”. It is used by others in the open source community, such as Mozilla and the Rust Language project.

Join at https://forum.suricata.io/

Reasons for choosing Discourse

Easy to get started for users: the default forum style interface makes it easy to start interacting with the community. It also directly gives access to (participating in) discussions that predate the registration, something that is much harder in the current mailing lists. By enabling a number of ‘social logins’, signing up is also easy.

Trial goals

Goals of the trial are finding out how the community would use this platform, how we can manage it against various forms of unwanted activity and if we can see an uptick of users. Next to this we want to use the trial period to adjust settings, experiment with plugins and themes.

Trial steps

During the trial we will use the hosted version of Discourse, which is hosted by the developers of the platform. During the trial or at the end of the trial we’ll evaluate how well this worked for us. Discourse can also be self-hosted.

The trial will run until June 1st. Assuming the trial is successful, we will then start a transition phase where we will discourage the use of the old mailinglists. End of summer / early fall we’ll then disable them completely. We will keep the archives online of course.

Mailinglist

For people who dislike forums or in general dislike web based interfaces, Discourse offers a special ‘mailing list mode’. In this mode you can receive posts as emails, reply to them and start new topics as well. The mailinglist mode can be activated in the ‘preferences’ page of your account.

See https://forum.suricata.io/t/mailinglist-mode

Feedback

In the ‘Site Feedback’ category you can give feedback on the setup, predefined categories, moderation, etc. Please use this if you feel there are things that can be done to improve the usefulness of the platform.

See: https://forum.suricata.io/c/site-feedback/

Hope to see you at https://forum.suricata.io/

OISF/Suricata to Offer Intrusion Detection and Threat Hunting Training Course at Black Hat Asia

Due to concerns surrounding the COVID-19 virus, BlackHat Asia has rescheduled the conference to Sept 29 – Oct 2, 2020. We’re excited to announce that OISF will be at the Marina Bay Sands in Singapore this September/October for Black Hat Asia, with our experts hosting a four-day power training on Intrusion Detection and Threat Hunting with Open Source Tools.

Our goal with this training is to help attendees build a foundation for an effective threat hunting program, as well as provide ideas and strategies to help increase the efficiency of existing programs. When it comes to detecting threat actors and malware operations, you can’t leave stones unturned.

If you’re a beginner in the open source space looking to mature your skills, this comprehensive training is a can’t-miss. Join us on Sept 29 – Oct 2, 2020 at Black Hat Singapore and take your threat hunting capabilities to the next level. For more details on the session, check out the training page on Black Hat’s website – https://www.blackhat.com/asia-20/training/schedule/index.html#intrusion-analysis-and-threat-hunting-with-open-source-tools-18067

Early-bird pricing ends July 24th – we hope to see you in Singapore!

Trainers: Members of the OISF team

OISF/Suricata to Offer Intrusion Detection and Threat Hunting Training Course at Black Hat USA

We’re excited to announce that OISF will be at the Mandalay Bay in Las Vegas this August for Black Hat USA, with our experts hosting a four-day power training on Intrusion Detection and Threat Hunting with Open Source Tools.

Our goal with this training is to help attendees build a foundation for an effective threat hunting program, as well as provide ideas and strategies to help increase the efficiency of existing programs. When it comes to detecting threat actors and malware operations, you can’t leave stones unturned.

If you’re a beginner in the open source space looking to mature your skills, this comprehensive training is a can’t-miss. Join us on August 1-4 at Black Hat USA and take your threat hunting capabilities to the next level. For more details on the session, check out the training page on Black Hat’s website – https://www.blackhat.com/us-20/training/schedule/#intrusion-analysis-and-threat-hunting-with-open-source-tools-19091

This course will cover the fundamental aspects of Suricata such as rule comprehension, managing rule sets, validating alerts, working through false positives/negatives and customizing rules to provide more network traffic visibility. We’ll dive into an in-depth analysis of network traffic and the development of threat hunting strategies to detect anomalous or malicious activity with tools such as Moloch, Kibana and CyberChef. Additionally, we’ll have several hands-on, real-world exercises to reinforce the detection techniques and tactics explained throughout the course.

Early bird pricing for the training ends on May 22, so act fast!

BlackHat USA August 2020

Trainers: Members of the OISF team