Tag Archive | hyperscan

Suricata 3.1 released!

We’re proud to announce Suricata 3.1.suri-400x400

This release brings significant improvements on the performance side:

  • Hyperscan integration for Multi Pattern Matcher and Single Pattern Matcher. If installed, Hyperscan is now the default.
  • Rewrite of the detection engine, simplifying rule grouping. This improves performance, while reducing memory usage and start up time in many scenarios.

Packet capture got a lot of attention:

  • AF_PACKET support for tpacket-v3 (experimental)
  • NETMAP usability improvements, especially on FreeBSD

Config:

  • Reorganised default configuration layout provides for intuitive and easy set up.

This release also comes with libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.

A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.

Other than that, lots of clean ups and optimizations:

  • locking has been much simplified
  • TCP and IPv6 decoder optimizations
  • unittest clean ups
  • AFL fuzz testing options were added

Have a look at the full change log

Changes since 3.1RC1

  • AF_PACKETv2 is the default as v3 is still experimental
  • NFQ runmode workers was fixed

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz

Special thanks

Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan

Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1RC1 is out!

Photo by Eric Leblond

We’re happy to announce Suricata 3.1RC1. The plan is to release the stable within a few weeks, so please help us test this release!

Lots of improvements on the performance side:

  • Hyperscan integration for MPM and SPM. If installed, Hyperscan is now the default. See this guide.
  • Rewrite of the detection engine, simplifying rule grouping. This reduces memory usage and startup time in many scenarios.

Packet capture got a lot of love:

  • AF_PACKET support for tpacketv3
  • NETMAP usability improvements, especially on FreeBSD

A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.

This release also bundles libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.

Other than that, lots of cleanups and optimizations:

  • locking has been much simplified
  • TCP and IPv6 decoder optimizations
  • unittest cleanups
  • AFL fuzzing options were added

Have a look at the full changelog: https://github.com/inliniac/suricata/blob/master/ChangeLog

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1RC1.tar.gz

Special thanks

Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan

Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

Join us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.0.1 released!

suri-400x400

We are pleased to announce Suricata 3.0.1. This release fixes many important issues in 3.0 and upgrading is highly recommended.

Highlights

– fixes for multiple stability issues
– many memory leak fixes
Hyperscan MPM support (experimental)

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-3.0.1.tar.gz

All Changes

For a complete list of closed tickets, please see:

3.0.1RC1 tickets
3.0.1 tickets

When upgrading from 3.0, please see these notes.

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

FireEye, Intel, ANSSI, Emerging Threats / Proofpoint, Stamus Networks,
NorCert, Ntop, Lastline, AFL project, CoverityScan

Justin Viiret, Tom Decanio, Mats Klepsland, Alexander Gozman,
Aleksey Katargin Maurizio Abba, Alessandro Guido, David Diallo,
Giuseppe Longo, Chris Wakelin, Jon Zeolla, Andreas Moe,
Nicolas Thill, Travis Green, bladeswords Alfredo Cardigliano,
Rob Mosher, Andrew Brown, Andre ten Bohmer

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://suricon.net

If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/