Tag Archive | ip reputation

Suricata 2.1beta2 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.1beta2. This is the second beta release for the upcoming 2.1 version. It should be considered a development snapshot for the 2.1 branch.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.1beta2.tar.gz

New Features

  • Feature #549: Extract file attachments from emails
  • Feature #1312: Lua output support
  • Feature #899: MPLS over Ethernet support
  • Feature #383: Stream logging

Improvements

  • Feature #1263: Lua: Access to Stream Payloads
  • Feature #1264: Lua: access to TCP quad / Flow Tuple
  • Feature #707: ip reputation files – network range inclusion availability (cidr)

Bugs

  • Bug #1048: PF_RING/DNA config – suricata.yaml
  • Bug #1230: byte_extract, within combination not working
  • Bug #1257: Flow switch is missing from the eve-log section in suricata.yaml
  • Bug #1259: AF_PACKET IPS is broken in 2.1beta1
  • Bug #1260: flow logging at shutdown broken
  • Bug #1279: BUG: NULL pointer dereference when suricata was debug mode.
  • Bug #1280: BUG: IPv6 address vars issue
  • Bug #1285: Lua – http.request_line not working (2.1)
  • Bug #1287: Lua Output has dependency on eve-log:http
  • Bug #1288: Filestore keyword in wrong place will cause entire rule not to trigger
  • Bug #1294: Configure doesn’t use –with-libpcap-libraries when testing PF_RING library
  • Bug #1301: suricata yaml – PF_RING load balance per hash option
  • Bug #1308: http_header keyword not matching when SYN|ACK and ACK missing (master)
  • Bug #1311: EVE output Unix domain socket not working (2.1)

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Tom Decanio — FireEye
  • Ken Steele — Tilera
  • Giuseppe Longo — Emerging Threats & Ntop
  • David Abarbanel — BAE Systems
  • Jason Ish — Endace/Emulex
  • Mats Klepsland
  • Duarte Silva
  • Bill Meeks
  • Anoop Saldanha
  • lessyv

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4.7 released!

Photo by Eric LeblondThe OISF development team is pleased to announce Suricata 1.4.7. This is a small update over the 1.4.6 release.

Get the new release here: suricata-1.4.7.tar.gz

Fixes

  • Bug #996: tag keyword: tagging sessions per time is broken
  • Bug #1000: delayed detect inits thresholds before de_ctx
  • Bug #1001: ip_rep loading problem with multiple values for a single ip
  • Bug #1022: StreamTcpPseudoPacketSetupHeader : port swap logic isn’t consistent
  • Bug #1047: detect-engine.profile – custom value parsing broken
  • Bug #1063: rule ordering with multiple vars

Special thanks

  • Duane Howard
  • Mark Ashley
  • Amin Latifi

Known issues & missing features

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4 released!

Photo by Eric LeblondThe OISF development team is proud to announce Suricata 1.4. This release is a major improvement over the previous releases with regard to performance, scalability and accuracy. Also, a number of great features have been added.

Get the new release here: suricata-1.4.tar.gz

The biggest new features of this release are the Unix Socket support, IP Reputation support and the addition of the Luajit keyword. Each of these new features are still in active development, and should be approached with some care.

The 1.4 release improves performance and scalability a lot. The IP Defrag engine was rewritten to scale better, various packet acquisition methods were improved and various parts of the detection engine were optimized further.

The configuration file has evolved but backward compatibility is provided. We thus encourage you to update your suricata configuration file. Upgrade guidance is provided here: Upgrading_Suricata_13_to_Suricata_14

New features

  • Unix socket mode for batched processing of series of pcap (#571, #552) (experimental)
  • Interaction with Suricata via uix socket (#571, #552) (experimental)
  • IP Reputation: loading and matching (#647) (experimental)
  • New keyword: “luajit” to inspect packet, payload and all HTTP buffers with a Lua script (#346) (experimental)
  • Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
  • Support for pkt_data keyword was added (#423)
  • Improved –list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)
  • User and group to run as can now be set in the config file
  • Add stream event to match on overlaps with different data in stream reassembly (#603)
  • Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
  • Rules can be set to inspect only IPv4 or IPv6 (#494)
  • Added ability to control per server HTTP parser settings in much more detail (#503)
  • Make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
  • Filesize keyword for matching on sizes of files in HTTP (#489)
  • Custom HTTP logging contributed by Ignacio Sanchez (#530)
  • TLS certificate logging and fingerprint computation and keyword by Jean-Paul Roliers (#443)
  • TLS certificate store to disk feature Jean-Paul Roliers (#444)
  • AF_PACKET IPS support (#516)
  • NFQ fail open support (#507)
  • PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
  • Support for Napatech cards through their 3rd generation driver was added by Matt Keeler from Npulse (#430, #619)
  • Endace support improved
  • New runmode for users of pcap wrappers (Myricom, PF_RING, others)

Improvements

  • Add contrib directory to the dist (#567)
  • Performance improvements to signatures with dsize option
  • Improved rule analyzer: print fast_pattern along with the rule (#558)
  • Fixes to stream engine reducing the number of events generated (#604)
  • Stream.inline option new defaults to “auto”, meaning enabled in IPS mode, disabled in IDS mode (#592)
  • HTTP handling in OOM condition was greatly improved (#557)
  • Filemagic keyword performance was improved (#585)
  • Updated bundled libhtp to 0.2.11
  • Build system improvements and cleanups
  • Live reloads now supports HTTP rule updates better (#522)
  • AF_PACKET performance improvements (#197, #415)
  • Make defrag more configurable (#517, #528)
  • Improve pool performance (#518)
  • Improve file inspection keywords by adding a separate API (#531)
  • Example threshold.config file provided (#302)

Changes since 1.4rc1

  • Decoder event matching fixed (#672)
  • Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#665)
  • Add more events to IPv6 extension header anomolies (#678)
  • Fix ICMPv6 payload and checksum calculation (#677, #674)
  • Clean up flow timeout handling (#656)
  • Fix a shutdown bug when using AF_PACKET under high load (#653)
  • Fix TCP sessions being cleaned up to early (#652)

Credits

  • Jason Ish — Endace
  • Ludovico Cavedon — Lastline
  • Last G
  • Matt Keeler — Npulse
  • Chris Wakelin
  • Will Metcalf
  • Ivan Ristic
  • Kyle Creyts
  • Michael Hoffrath
  • Rmkml
  • Jean-Paul Roliers
  • Ignacio Sanchez
  • Michel Saborde
  • Simon Moon
  • Coverity

Known issues & missing features

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4rc1 Available!

Photo by Eric LeblondThe OISF development team is proud to announce Suricata 1.4rc1, the first (and hopefully only) release candidate for the upcoming 1.4 version.

This release adds two major new features: a unix socket command mode, allowing for easy processing of large numbers of pcap files, and IP reputation. Both features are considered experimental.

Get the new release here: suricata-1.4rc1.tar.gz

New features

  • Interactive unix socket mode (#571, #552)
  • IP Reputation: loading and matching (#647)
  • Improved –list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)

Improvements

  • Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494)
  • User-Agent added to file log and filestore meta files (#629)
  • Endace DAG supports live stats and at exit drop stats (#638)
  • Add support for libhtp event “request port doesn’t match tcp port” (#650)

Fixes

  • Rules with negated addresses will not be considered IP-only (#599)
  • Rule reloads complete much faster in low traffic conditions (#526)
  • Suricata -h now displays all available options (#419)
  • Luajit configure time detection was improved (#636)
  • Flow manager mutex used w/o initialization (#628)
  • Cygwin work around for windows shell mangling interface string (#372)
  • Fix a Prelude output crash with alerts generated by rules w/o classtype or msg (#648)
  • CLANG compiler build fixes (#649)
  • Several fixes found by code analyzers

Credits

We’d like to thank the following people and corporations for their contributions and feedback:

  • Jason Ish — Endace
  • Ludovico Cavedon — Lastline
  • Last G

Known issues & missing features

This is a “release candidate”-quality release so the stability should be good although unexpected corner cases might happen. If you encounter one, please let us know!

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.