Tag Archive | dcerpc

Suricata 4.0.1 available!

suri-400x400

We are pleased to announce Suricata 4.0.1.  This is regular bug fix release fixing various issues. Also added is much improved Napatech support.

Changes

  • Feature #2114: Redis output: add RPUSH support
  • Feature #2152: Packet and Drop Counters for Napatech
  • Bug #2050: TLS rule mixes up server and client certificates
  • Bug #2064: Rules with dual classtype do not error
  • Bug #2074: detect msg: memory leak
  • Bug #2102: Rules with dual sid do not error
  • Bug #2103: Rules with dual rev do not error
  • Bug #2151: The documentation does not reflect current suricata.yaml regarding cpu-affinity
  • Bug #2194: rust/nfs: sigabrt/rust panic – 4.0.0-dev (rev fc22943)
  • Bug #2197: rust build with lua enabled fails on x86
  • Bug #2201: af_packet: suricata leaks memory with use-mmap enabled and incorrect BPF filter
  • Bug #2207: DNS UDP “Response” parsing recording an incorrect value
  • Bug #2208: mis-structured JSON stats output if interface name is shortened
  • Bug #2226: improve error message if stream memcaps too low
  • Bug #2228: enforcing specific number of threads with autofp does not seem to work
  • Bug #2244: detect state uses broken offset logic (4.0.x)

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.1.tar.gz

Special thanks

Qidu Sy, Phil Young – Napatech, Mats Klepsland, Sascha Steinbiss, Alexander Gozman, Derek Kingsbury, Julian Wecke, Pierre Chifflier, Jason Taylor

Trainings

Conference attendees get a 20% discount!

SuriCon 2017

Less than one month to SuriCon 2017! Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be next month in Prague: https://suricon.net

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.2.4 available!

suri-400x400

We are pleased to announce Suricata 3.2.4. This a security update fixing important issues. Additionally, it fixes various minor issues.

Changes

  • Bug #2241: smb dcerpc segfaults in StubDataParser (3.2.x)
  • Bug #2231: Redundant content checks may cause Suricata DoS condition on a insignificant traffic rate
  • Bug #2214: detect state uses broken offset logic
  • Bug #2234: TLS rule mixes up server and client certificates (3.2.x)
  • Bug #2235: DNS UDP “Response” parsing recording an incorrect timestamp (3.2.x)
  • Bug #2236: af_packet: suricata leaks memory with use-mmap enabled and incorrect BPF filter (3.2.x)
  • Bug #2237: Redis output: add RPUSH support (3.2.x)
  • Bug #2238: detect duplicate ‘meta’ keywords (3.2.x)
  • Bug #2239: documentation does not reflect current suricata.yaml regarding cpu-affinity (3.2.x)
  • Bug #2242: improve error message if stream memcap too low (3.2.x)
  • Bug #2243: enforcing specific number of threads with autofp does not seem to work (3.2.x)

Download

https://www.openinfosecfoundation.org/download/suricata-3.2.4.tar.gz

End of life announcement

The 3.2 branch will be end-of-life in 2 months, so on December 18. After this it will receive no more updates of any kind, so please plan for your upgrade to Suricata 4.0+ before that date.

https://suricata-ids.org/about/eol-policy/

Special thanks

Jack Covington, Kirill Shipulin – Positive Technologies, Qidu Sy, Mats Klepsland, Derek Kingsbury, Julian Wecke, Alexander Gozman, AFL project, Coverity Scan

Trainings

Conference attendees get a 20% discount!

SuriCon 2017

Less than one month to SuriCon 2017! Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be next month in Prague: https://suricon.net

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1.2 released!

We’re proud to announce Suricata 3.1.2. This release fixes some important issues, so we highly recommend updating.suri-400x400

Changes

  • Feature #1830: support ‘tag’ in eve log
  • Feature #1870: make logged flow_id more unique
  • Feature #1874: support Cisco Fabric Path / DCE
  • Feature #1885: eve: add option to log all dropped packets
  • Feature #1886: dns: output filtering
  • Bug #1849: ICMPv6 incorrect checksum alert if Ethernet FCS is present
  • Bug #1853: fix dce_stub_data buffer
  • Bug #1854: unified2: logging of tagged packets not working
  • Bug #1856: PCAP mode device not found
  • Bug #1858: Lots of TCP ‘duplicated option/DNS malformed request data’ after upgrading from 3.0.1 to 3.1.1
  • Bug #1878: dns: crash while logging sshfp records
  • Bug #1880: icmpv4 error packets can lead to missed detection in tcp/udp
  • Bug #1884: libhtp 0.5.22

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1.2.tar.gz

Special thanks

Kirill Shipulin – Positive Technologies, Christoffer Hallstensen – NTNU Gjøvik, Pedro Marinho – Proofpoint, Tom Decanio – FireEye, Coverity Scan

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. Agenda and speakers are now available, including keynote speakers Ron Gula and Liam Randall. Please see: http://suricon.net/

Training & Support

Need help installing, updating, validating, tuning and extending Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.7 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.7. This release fixes a number of important issues in the 2.0 series.

Two major issues. The first was brought to our attention by the Yahoo Pentest Team. It’s a parsing issue in the DCERPC parser that can happen when Suricata runs out of memory. The exact scope of the problem isn’t clear, but it could certainly lead to crashes. RCE might theoretically be possible but looks like it’s very hard.

The second issue was reported by Darien Huss of Emerging Threats. This is technically a libhtp issue, but it affects Suricata detection and logging. Certain characters in the URI could confuse the parsing of the HTTP request line, leading to possible detection bypass for ‘http_uri’ and to incomplete logging of the URI. Libhtp 0.5.17 has been released to address this and is bundled in 2.0.7.

Other than that a bunch of improvements and fixes. It should work again on CentOS 5. Midstream TCP was improved and some performance optimizations for HTTP proxy traffic were made.

Upgrading is highly recommended.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.7.tar.gz

Changes

  • Bug #1385: DCERPC traffic parsing issue
  • Bug #1391: http uri parsing issue
  • Bug #1383: tcp midstream window issue
  • Bug #1318: A thread-sync issue in streamTCP
  • Bug #1375: Regressions in list keywords option
  • Bug #1387: pcap-file hangs on systems w/o atomics support
  • Bug #1395: dump-counters unix socket command failure
  • Optimization #1376: file list is not cleaned up

Security

The DCERPC parsing issue has CVE-2015-0928 assigned to it.

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • The Yahoo Pentest Team
  • Darien Huss — Emerging Threats
  • FireEye
  • Dennis Lee

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4.1 released!

Photo by Eric LeblondThe OISF development team is proud to announce Suricata 1.4.1. This is a major update over the 1.4 release, adding some exiting features, many improvements and fixing some important bugs.

Get the new release here: suricata-1.4.1.tar.gz

The most interesting new feature is the GeoIP support. Great contribution by Ignacio Sanchez. It adds “geoip” rule keyword that allows you to match on source of destination of a packet per country.

New features

  • GeoIP keyword, allowing matching on Maxmind’s database, contributed by Ignacio Sanchez (#559)
  • Introduce http_host and http_raw_host keywords (#733, #743)
  • Add python module for interacting with unix socket (#767)
  • Add new unix socket commands: fetching config, counters, basic runtime info (#764, #765)

Improvements

  • Big Napatech support update by Matt Keeler
  • Configurable sensor id in unified2 output, contributed by Jake Gionet (#667)
  • FreeBSD IPFW fixes by Nikolay Denev
  • Add “default” interface setting to capture configuration in yaml (#679)
  • Make sure “snaplen” can be set by the user (#680)
  • Improve HTTP URI query string normalization (#739)
  • Improved error reporting in MD5 loading (#693)
  • Improve reference.config parser error reporting (#737)
  • Improve build info output to include all configure options (#738)

Fixes

  • Segfault in TLS parsing reported by Charles Smutz (#725)
  • Fix crash in teredo decoding, reported by Rmkml (#736)
  • fixed UDPv4 packets without checksum being detected as invalid (#760)
  • fixed DCE/SMB parsers getting confused in some fragmented cases (#764)
  • parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#697)
  • FN: IP-only rule ip_proto not matching for some protocols (#689)
  • Fix build failure with other libhtp installs (#688)
  • Fix malformed yaml loading leading to a crash (#694)
  • Various Mac OS X fixes (#700, #701, #703)
  • Fix for autotools on Mac OS X by Jason Ish (#704)
  • Fix AF_PACKET under high load not updating stats (#706)

Special thanks

  • Ignacio Sanchez
  • Matt Keeler — nPulse
  • Jake Gionet
  • Nikolay Denev
  • Jason Ish — Endace
  • Jamie Strandboge
  • Charles Smutz
  • Rmkml

Known issues & missing features

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.3.6 available!

The OISF development team is pleased to announce Suricata 1.3.6. This the last maintenance release of Suricata 1.3 with some important fixes.

Because of the fixes below, upgrading is highly recommended.

Download: http://www.openinfosecfoundation.org/download/suricata-1.3.6.tar.gz

Fixes

  • fix decoder event rules not checked in all cases (#671)
  • checksum detection for icmpv6 was fixed (#673)
  • crash in HTTP server body inspection code fixed (#675)
  • fixed a icmpv6 payload bug (#676)
  • IP-only rule ip_proto not matching for some protocols was addressed (#690)
  • fixed malformed yaml crashing suricata (#702)
  • parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#717)
  • crash in tls parser was fixed (#759)
  • fixed UDPv4 packets without checksum being detected as invalid (#762)
  • fixed DCE/SMB parsers getting confused in some fragmented cases (#763)

Special thanks

  • Jamie Strandboge

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See http://redmine.openinfosecfoundation.org/projects/suricata/issues for an up to date list and to report new issues. See http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.