Tag Archive | file extraction

Suricata 3.2.2 available!

suri-400x400

We are pleased to announce Suricata 3.2.2. This release fixes a fairly small number of issues.

It also improves the unix-socket runmode by allowing both ‘single’ and ‘autofp’ runmodes to be specified.

Changes

  • Feature #1675: Support additional runmodes for unix-socket
  • Bug #2043: 3.2.x backport: make install-full can have race conditions on OSX.
  • Bug #2047: af-packet: faulty VLAN handling in tpacket-v3 mode (3.2.x)
  • Bug #2048: bad checksum 0xffff (3.2.x)
  • Bug #2052: ippair: xbit unset memory leak (3.2.x)
  • Bug #2071: file store: file log / file store mismatch with multiple files (3.2.x)
  • Bug #2073: app-layer: fix memleak on bad traffic (3.2.x)
  • Bug #2079: http body handling: failed assertion (3.2.x)
  • Bug #2085: ippair: pair is direction sensitive (3.2.x)
  • Bug #2119: 3.2.x – defrag – overlap issue in linux policy
  • Bug #2122: unix socket: race condition on start up (3.2.x)

Download

https://www.openinfosecfoundation.org/download/suricata-3.2.2.tar.gz

Special thanks

Jérémy Beaume, Alexander Gozman, Zoltan Herczeg and Jon Zeolla

Trainings

SuriCon 2017

Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be in November in Prague: https://suricon.net

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.2beta1 ready for testing

We’re happy to announce Suricata 3.2beta1. The plan is to release a release candidate within a few weeks, so please help us test this release!

This release includes a large detection engine rewrite that should make it much easier to extend Suricata with new keywords.

We’ve also converted the user guide to sphinx. Lots of work still to be done, but for a preview check http://suricata.readthedocs.io/en/latest/

Get the release here:

https://www.openinfosecfoundation.org/download/suricata-3.2beta1.tar.gz

High level changes

  • Feature #509: add SHA1 and SHA256 checksum support for files
  • Feature #1231: ssl_state negation support
  • Feature #1345: disable NIC offloading by default
  • Feature #1373: Allow different reassembly depth for filestore rules
  • Feature #1495: EtherNet/IP and CIP support
  • Feature #1583: tls: validity fields (notBefore and notAfter)
  • Feature #1657: Per application layer stats
  • Feature #1896: Reimplement tls.subject and tls.isserdn
  • Feature #1903: tls: tls_cert_valid and tls_cert_expired keywords
  • Feature #1907: http_request_line and http_response_line

Special thanks

Stamus Networks, NorCert, Solana Networks, CoverityScan
Mats Klepsland, Giuseppe Longo, Duarte Silva, Tom Decanio, Kevin Wong

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. Agenda and speakers are now available, including keynote speakers Ron Gula and Liam Randall. Please see: http://suricon.net/

Training & Support

Need help installing, updating, validating, tuning and extending Suricata? We have a training session coming up at SuriCon: November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/ Conference attendees get a 20% discount!

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.10 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.10. This release fixes a number of important issues in the 2.0 series.

A number of other issues were fixed. Upgrading is highly recommended.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.10.tar.gz

Changes

  • Bug #1596: dns parser issue reported & fixed by Aaron Campbell
  • Bug #1554: stored: false in files log when files were actually stored
  • Feature #1581: support LINKTYPE_NULL

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Aaron Campbell
  • Giuseppe Longo
  • Greg Siemon

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. Paris in July, Barcelona in November: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.1beta2 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.1beta2. This is the second beta release for the upcoming 2.1 version. It should be considered a development snapshot for the 2.1 branch.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.1beta2.tar.gz

New Features

  • Feature #549: Extract file attachments from emails
  • Feature #1312: Lua output support
  • Feature #899: MPLS over Ethernet support
  • Feature #383: Stream logging

Improvements

  • Feature #1263: Lua: Access to Stream Payloads
  • Feature #1264: Lua: access to TCP quad / Flow Tuple
  • Feature #707: ip reputation files – network range inclusion availability (cidr)

Bugs

  • Bug #1048: PF_RING/DNA config – suricata.yaml
  • Bug #1230: byte_extract, within combination not working
  • Bug #1257: Flow switch is missing from the eve-log section in suricata.yaml
  • Bug #1259: AF_PACKET IPS is broken in 2.1beta1
  • Bug #1260: flow logging at shutdown broken
  • Bug #1279: BUG: NULL pointer dereference when suricata was debug mode.
  • Bug #1280: BUG: IPv6 address vars issue
  • Bug #1285: Lua – http.request_line not working (2.1)
  • Bug #1287: Lua Output has dependency on eve-log:http
  • Bug #1288: Filestore keyword in wrong place will cause entire rule not to trigger
  • Bug #1294: Configure doesn’t use –with-libpcap-libraries when testing PF_RING library
  • Bug #1301: suricata yaml – PF_RING load balance per hash option
  • Bug #1308: http_header keyword not matching when SYN|ACK and ACK missing (master)
  • Bug #1311: EVE output Unix domain socket not working (2.1)

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Tom Decanio — FireEye
  • Ken Steele — Tilera
  • Giuseppe Longo — Emerging Threats & Ntop
  • David Abarbanel — BAE Systems
  • Jason Ish — Endace/Emulex
  • Mats Klepsland
  • Duarte Silva
  • Bill Meeks
  • Anoop Saldanha
  • lessyv

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4rc1 Available!

Photo by Eric LeblondThe OISF development team is proud to announce Suricata 1.4rc1, the first (and hopefully only) release candidate for the upcoming 1.4 version.

This release adds two major new features: a unix socket command mode, allowing for easy processing of large numbers of pcap files, and IP reputation. Both features are considered experimental.

Get the new release here: suricata-1.4rc1.tar.gz

New features

  • Interactive unix socket mode (#571, #552)
  • IP Reputation: loading and matching (#647)
  • Improved –list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)

Improvements

  • Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494)
  • User-Agent added to file log and filestore meta files (#629)
  • Endace DAG supports live stats and at exit drop stats (#638)
  • Add support for libhtp event “request port doesn’t match tcp port” (#650)

Fixes

  • Rules with negated addresses will not be considered IP-only (#599)
  • Rule reloads complete much faster in low traffic conditions (#526)
  • Suricata -h now displays all available options (#419)
  • Luajit configure time detection was improved (#636)
  • Flow manager mutex used w/o initialization (#628)
  • Cygwin work around for windows shell mangling interface string (#372)
  • Fix a Prelude output crash with alerts generated by rules w/o classtype or msg (#648)
  • CLANG compiler build fixes (#649)
  • Several fixes found by code analyzers

Credits

We’d like to thank the following people and corporations for their contributions and feedback:

  • Jason Ish — Endace
  • Ludovico Cavedon — Lastline
  • Last G

Known issues & missing features

This is a “release candidate”-quality release so the stability should be good although unexpected corner cases might happen. If you encounter one, please let us know!

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.3.3 Available!

The OISF development team is pleased to announce Suricata 1.3.3. This is the third maintenance release of Suricata 1.3 with some important fixes.

Because of the fixes below, upgrading is highly recommended.

Download: suricata-1.3.3.tar.gz

Fixes

  • fix drop rules not working correctly when thresholded (#615)
  • fix a false possitive condition in http_header (#606)
  • fix extracted file corruption (#601)
  • fix a false possitive condition with the pcre keyword and relative matching (#588)
  • fix PF_RING set cluster problem on dma interfaces (#598)
  • improve http handling in low memory conditions (#586, #587)
  • fix FreeBSD inline mode crash (#612)
  • suppress pcre jit warning (#579)

Credits

  • Will Metcalf
  • Chris Wakelin
  • Kyle Creyts
  • Michael Hoffrath

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See http://redmine.openinfosecfoundation.org/projects/suricata/issues for an up to date list and to report new issues. See http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.