Tag Archive | eve

Suricata 4.0.0-beta1 ready for testing!

suri-400x400

We are proud to announce that the first release for the upcoming Suricata 4.0.0-beta1 is ready for testing.

This release features our first experimental steps into using the Rust language for creating safer and easier to develop parsers. Inspired by Pierre Chiffliers talk at SuriCon 2016 (pdf). This initial integration does not yet include Pierre’s work, but this will likely change in the near future.
By compiling with –enable-rust you’ll get a basic NFSv3 parser and reimplementation of the DNS parser. Feedback on this is highly appreciated.

A major new feature is support for STARTTLS in SMTP and FTP. TLS sessions will now be logged in these cases. Decoding, logging and matching on TLS sertial numbers was also added. Great work by Mats Klepsland. Also for TLS, session resumption logging is now supported thanks to the work of Ray Ruvinskiy. TLS logging was improved by Paulo Pacheco.

Lots of new HTTP detection options were added to make matching on specific header fields easier and more efficient. New SSH keywords that are fast_pattern capable have also been added. For developers, this release makes extending the detection engine a lot easier.

A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode.

EVE is extended in several ways: in the case of encapsulated traffic both the inner and outer ip addresses and ports are logged. The ‘vars’ facility logs flowbits and other vars. This can also be used to extract data from the traffic using PCRE, and then log it. EVE can also be rotated based on time.

David Wharton has created a section in the documentation for rule writers who have a background in Snort. It documents changes that are relevant for writing rules.

Paulo Pacheco has been improving the Redis output performance.

Note that this release finally drops support for CentOS 5, and for libpcap 0.x with it.

Changes

  • Feature #805: Add support for applayer change
  • Feature #806: Implement STARTTLS support
  • Feature #1636: Signal rotation of unified2 log file without restart
  • Feature #1953: lua: expose flow_id
  • Feature #1969: TLS transactions with session resumption are not logged
  • Feature #1978: Using date in logs name
  • Feature #1998: eve.tls: custom TLS logging
  • Feature #2006: tls: decode certificate serial number
  • Feature #2011: eve.alert: print outside IP addresses on alerts on traffic inside tunnels
  • Feature #2046: Support custom file permissions per logger
  • Feature #2061: lua: get timestamps from flow
  • Feature #2077: Additional HTTP Header Contents and Negation
  • Feature #2129: nfs: parser, logger and detection
  • Feature #2130: dns: rust parser with stateless behaviour
  • Feature #2132: eve: flowbit and other vars logging
  • Feature #2133: unix socket: add/remove hostbits
  • Bug #1335: suricata option –pidfile overwrites any file
  • Bug #1470: make install-full can have race conditions on OSX.
  • Bug #1759: CentOS5 EOL tasks
  • Bug #2037: travis: move off legacy support
  • Bug #2039: suricata stops processing when http-log output via unix_stream backs up
  • Bug #2041: bad checksum 0xffff
  • Bug #2044: af-packet: faulty VLAN handling in tpacket-v3 mode
  • Bug #2045: geoip: compile warning on CentOS 7
  • Bug #2049: Empty rule files cause failure exit code without corresponding message
  • Bug #2051: ippair: xbit unset memory leak
  • Bug #2053: ippair: pair is direction sensitive
  • Bug #2070: file store: file log / file store mismatch with multiple files
  • Bug #2072: app-layer: fix memleak on bad traffic
  • Bug #2078: http body handling: failed assertion
  • Bug #2088: modbus: clang-4.0 compiler warnings
  • Bug #2093: Handle TCP stream gaps.
  • Bug #2097: “Name of device should not be null” appears in suricata.log when using pfring with configuration from suricata.yaml
  • Bug #2098: isdataat: fix parsing issue with leading spaces
  • Bug #2108: pfring: errors when compiled with asan/debug
  • Bug #2111: doc: links towards http_header_names
  • Bug #2112: doc: links towards certain http_ keywords not working
  • Bug #2113: Race condition starting Unix Server
  • Bug #2118: defrag – overlap issue in linux policy
  • Bug #2125: ASAN SEGV – Suricata version 4.0dev (rev 922a27e)
  • Optimization #521: Introduce per stream thread segment pool
  • Optimization #1873: Classtypes missing on decoder-events,files, and stream-events

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.0-beta1.tar.gz

Special thanks

Mats Klepsland – for his major contributions: many EVE and TLS features

Pierre Chifflier – for paving the way for the Rust experiment and being very helpful while learning Rust and Nom.

Additionally: Jérémy Beaume, Alexander Gozman, Paulo Pacheco, Ray Ruvinskiy, Peter Sanders, David Wharton, Jon Zeolla

Trainings

SuriCon 2017

Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be in November in Prague: https://suricon.net

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1.3 released!

We’re proud to announce Suricata 3.1.3. This release improves DNS logging accuracy. Other than that it is mostly a collection of smaller fixes.This release fixes some important issues, so we highly recommend updating.suri-400x400

Changes

  • Bug #1861: Suricata with multitenancy does not start in 3.1/3.1.1
  • Bug #1889: Suricata doesn’t error on missing semicolon
  • Bug #1910: libhtp 0.5.23 (3.1.x)
  • Bug #1912: http.memcap reached condition can lead to dead lock
  • Bug #1913: af-packet fanout detection broken on Debian Jessie
  • Bug #1933: unix-command socket created with last character missing (3.1.x)
  • Bug #1934: make install-full does not install tls-events.rules (3.1.x)
  • Bug #1941: Can’t set fast_pattern on tls_sni content (3.1.x)
  • Bug #1942: dns – back to back requests results in loss of response (3.1.x)
  • Bug #1943: Check redis reply in non pipeline mode (3.1.x)

Get the release here:

https://www.openinfosecfoundation.org/download/suricata-3.1.3.tar.gz

Special thanks

Paulo Pacheco, Coverity Scan

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. Agenda and speakers are now available, including keynote speakers Ron Gula and Liam Randall. Please see: http://suricon.net/

Training & Support

Need help installing, updating, validating, tuning and extending Suricata? There is a training November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1.2 released!

We’re proud to announce Suricata 3.1.2. This release fixes some important issues, so we highly recommend updating.suri-400x400

Changes

  • Feature #1830: support ‘tag’ in eve log
  • Feature #1870: make logged flow_id more unique
  • Feature #1874: support Cisco Fabric Path / DCE
  • Feature #1885: eve: add option to log all dropped packets
  • Feature #1886: dns: output filtering
  • Bug #1849: ICMPv6 incorrect checksum alert if Ethernet FCS is present
  • Bug #1853: fix dce_stub_data buffer
  • Bug #1854: unified2: logging of tagged packets not working
  • Bug #1856: PCAP mode device not found
  • Bug #1858: Lots of TCP ‘duplicated option/DNS malformed request data’ after upgrading from 3.0.1 to 3.1.1
  • Bug #1878: dns: crash while logging sshfp records
  • Bug #1880: icmpv4 error packets can lead to missed detection in tcp/udp
  • Bug #1884: libhtp 0.5.22

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1.2.tar.gz

Special thanks

Kirill Shipulin – Positive Technologies, Christoffer Hallstensen – NTNU Gjøvik, Pedro Marinho – Proofpoint, Tom Decanio – FireEye, Coverity Scan

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. Agenda and speakers are now available, including keynote speakers Ron Gula and Liam Randall. Please see: http://suricon.net/

Training & Support

Need help installing, updating, validating, tuning and extending Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Please help us test Suricata 3.0.1RC1

suri-400x400

We’re hoping for your feedback on a new release: Suricata 3.0.1RC1. We’ve fixed many issues in 3.0, including important stability issues and memory leaks. A final is expected within a week or so.

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-3.0.1RC1.tar.gz

New Features

– Feature #1535: Expose the certificate itself in TLS-lua
– Feature #1696: improve logged flow_id
– Feature #1700: enable “relro” and “now” in compile options for 3.0
– Feature #1734: gre: support transparent ethernet bridge decoding
– Feature #1740: Create counters for decode-events errors
– updated bundled libhtp to 0.5.19

Fixes

Many issues were fixed, including stability issues and many (potential) memory leaks.
Full list: https://redmine.openinfosecfoundation.org/versions/81

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:
FireEye, ANSSI, Emerging Threats / Proofpoint, Stamus Networks,
NorCert, Ntop, Lastline, AFL project, CoverityScan

Tom Decanio, Mats Klepsland, Alexander Gozman, Aleksey Katargin
Maurizio Abba, Alessandro Guido, David Diallo, Giuseppe Longo
Jon Zeolla, Andreas Moe, Nicolas Thill, Travis Green, bladeswords
Alfredo Cardigliano, Rob Mosher, Andre ten Bohmer

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://suricon.net

If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

Suricata 3.0 Available!

suri-400x400We’re proud to announce Suricata 3.0. This is a major new release improving Suricata on many fronts.

Download

http://www.openinfosecfoundation.org/download/suricata-3.0.tar.gz

Features and Improvements

  • improved detection options, including multi-tenancy and xbits
  • performance and scalability much improved
  • much improved accuracy and robustness
  • Lua scripting capabilities expanded significantly
  • many output improvements, including much more JSON
  • NETMAP capture method support, especially interesting to FreeBSD users
  • SMTP inspection and file extraction

For a full list of features added, please see:
https://redmine.openinfosecfoundation.org/versions/80

Upgrading

Upgrades from 2.0 to 3.0 should be mostly seamless. Here are some notes:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_20_to_Suricata_30

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

FireEye, ProtectWise, ANSSI, Emerging Threats /
Proofpoint, Stamus Networks, Ntop, AFL project, CoverityScan

Aaron Campbell, Aleksey Katargin, Alessandro Guido,
Alexander Gozman, Alexandre Macabies, Alfredo Cardigliano,
Andreas Moe, Anoop Saldanha, Antti Tönkyrä, Bill Meeks,
Darien Huss, David Abarbanel, David Cannings, David Diallo,
David Maciejak, Duarte Silva, Eduardo Arada, Giuseppe Longo,
Greg Siemon, Hayder Sinan, Helmut Schaa, Jason Ish,
Jeff Barber, Ken Steele, lessyv, Mark Webb-Johnson,
Mats Klepsland, Matt Carothers, Michael Rash, Nick Jones,
Pierre Chifflier, Ray Ruvinskiy, Samiux A, Schnaffon,
Stephen Donnelly, sxhlinux, Tom DeCanio, Torgeir Natvig,
Travis Green, Zachary Rasmor

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://oisfevents.net

If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

Suricata 3.0RC2 Available!

Photo by Eric Leblond

We’re happy to announce Suricata 3.0RC2. RC2 fixes a few issues in RC1 that require some more testing. The plan still is to release the stable within a few weeks, so please help us test this release!

Fixes:

  • Bug #1551: –enable-profiling-locks broken
  • Bug #1602: eve-log prefix field feature broken
  • Bug #1614: app_proto key missing from EVE file events
  • Bug #1615: disable modbus by default
  • Bug #1616: TCP reassembly bug
  • Bug #1617: DNS over TCP parsing issue
  • Bug #1618: SMTP parsing issue
  • Feature #1635: unified2 output: disable by default

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.0RC2.tar.gz

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.6 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.6. This release fixes a number of important issues in the 2.0 series. The most important part is the fixing of evasion issues, therefore upgrading is highly recommended!

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.6.tar.gz

Changes

  • Bug #1364: evasion issues
  • Bug #1337: output-json: duplicate logging
  • Bug #1325: tls detection leads to tcp stream reassembly sequence gaps (IPS)
  • Bug #1192: Suricata does not compile on OS X/Clang due to redefinition of string functions
  • Bug #1183: pcap: cppcheck warning

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Martin Küchler

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.5 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.5. This release fixes a number of important issues in the 2.0 series.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.5.tar.gz

Changes

  • Bug #1190: http_header keyword not matching when SYN|ACK and ACK missing
  • Bug #1246: EVE output Unix domain socket not working
  • Bug #1272: Segfault in libhtp 0.5.15
  • Bug #1298: Filestore keyword parsing issue
  • Bug #1303: improve stream ‘bad window update’ detection
  • Bug #1304: improve stream handling of bad SACK values
  • Bug #1305: fix tcp session reuse for ssh/ssl sessions
  • Bug #1307: byte_extract, within combination not working
  • Bug #1326: pcre pkt/flowvar capture broken for non-relative matches
  • Bug #1329: Invalid rule being processed and loaded
  • Bug #1330: Flow memuse bookkeeping error (2.0.x)

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Jason Ish — Endace/Emulex
  • Ken Steele — Tilera
  • lessyv
  • Tom DeCanio — FireEye
  • Andreas Herz
  • Matt Carothers
  • Duane Howard
  • Edward Fjellskål
  • Giuseppe Longo

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.1beta2 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.1beta2. This is the second beta release for the upcoming 2.1 version. It should be considered a development snapshot for the 2.1 branch.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.1beta2.tar.gz

New Features

  • Feature #549: Extract file attachments from emails
  • Feature #1312: Lua output support
  • Feature #899: MPLS over Ethernet support
  • Feature #383: Stream logging

Improvements

  • Feature #1263: Lua: Access to Stream Payloads
  • Feature #1264: Lua: access to TCP quad / Flow Tuple
  • Feature #707: ip reputation files – network range inclusion availability (cidr)

Bugs

  • Bug #1048: PF_RING/DNA config – suricata.yaml
  • Bug #1230: byte_extract, within combination not working
  • Bug #1257: Flow switch is missing from the eve-log section in suricata.yaml
  • Bug #1259: AF_PACKET IPS is broken in 2.1beta1
  • Bug #1260: flow logging at shutdown broken
  • Bug #1279: BUG: NULL pointer dereference when suricata was debug mode.
  • Bug #1280: BUG: IPv6 address vars issue
  • Bug #1285: Lua – http.request_line not working (2.1)
  • Bug #1287: Lua Output has dependency on eve-log:http
  • Bug #1288: Filestore keyword in wrong place will cause entire rule not to trigger
  • Bug #1294: Configure doesn’t use –with-libpcap-libraries when testing PF_RING library
  • Bug #1301: suricata yaml – PF_RING load balance per hash option
  • Bug #1308: http_header keyword not matching when SYN|ACK and ACK missing (master)
  • Bug #1311: EVE output Unix domain socket not working (2.1)

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Tom Decanio — FireEye
  • Ken Steele — Tilera
  • Giuseppe Longo — Emerging Threats & Ntop
  • David Abarbanel — BAE Systems
  • Jason Ish — Endace/Emulex
  • Mats Klepsland
  • Duarte Silva
  • Bill Meeks
  • Anoop Saldanha
  • lessyv

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.1beta1 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.1beta1. This is the first beta release for the upcoming 2.1 version. It should be considered a development snapshot for the 2.1 branch.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.1beta1.tar.gz

New Features

  • Feature #1248: flow/connection logging
  • Feature #1155 & #1208: Log packet payloads in eve alerts

Improvements

  • Optimization #1039: Packetpool should be a stack
  • Optimization #1241: pcap recording: record per thread
  • Feature #1258: json: include HTTP info with Alert output
  • AC matcher start up optimizations
  • BM matcher runtime optimizations by Ken Steele

Removals

  • ‘pcapinfo’ output was removed. Suriwire now works with the JSON ‘eve’ output

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Matt Carothers
  • Alexander Gozman
  • Giuseppe Longo
  • Duarte Silva
  • sxhlinux

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.