Tag Archive | ipv6

Suricata 3.1 released!

We’re proud to announce Suricata 3.1.suri-400x400

This release brings significant improvements on the performance side:

  • Hyperscan integration for Multi Pattern Matcher and Single Pattern Matcher. If installed, Hyperscan is now the default.
  • Rewrite of the detection engine, simplifying rule grouping. This improves performance, while reducing memory usage and start up time in many scenarios.

Packet capture got a lot of attention:

  • AF_PACKET support for tpacket-v3 (experimental)
  • NETMAP usability improvements, especially on FreeBSD

Config:

  • Reorganised default configuration layout provides for intuitive and easy set up.

This release also comes with libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.

A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.

Other than that, lots of clean ups and optimizations:

  • locking has been much simplified
  • TCP and IPv6 decoder optimizations
  • unittest clean ups
  • AFL fuzz testing options were added

Have a look at the full change log

Changes since 3.1RC1

  • AF_PACKETv2 is the default as v3 is still experimental
  • NFQ runmode workers was fixed

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz

Special thanks

Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan

Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1RC1 is out!

Photo by Eric Leblond

We’re happy to announce Suricata 3.1RC1. The plan is to release the stable within a few weeks, so please help us test this release!

Lots of improvements on the performance side:

  • Hyperscan integration for MPM and SPM. If installed, Hyperscan is now the default. See this guide.
  • Rewrite of the detection engine, simplifying rule grouping. This reduces memory usage and startup time in many scenarios.

Packet capture got a lot of love:

  • AF_PACKET support for tpacketv3
  • NETMAP usability improvements, especially on FreeBSD

A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.

This release also bundles libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.

Other than that, lots of cleanups and optimizations:

  • locking has been much simplified
  • TCP and IPv6 decoder optimizations
  • unittest cleanups
  • AFL fuzzing options were added

Have a look at the full changelog: https://github.com/inliniac/suricata/blob/master/ChangeLog

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1RC1.tar.gz

Special thanks

Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan

Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

Join us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.4 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.4. This release fixes a number of important issues in the 2.0 series.

This update fixes a bug in the SSH parser, where a malformed banner could lead to evasion of SSH rules and missing log entries. In some cases it may also lead to a crash. Bug discovered and reported by Steffen Bauch.

Additionally, this release also addresses a new IPv6 issue that can lead to evasion. Bug discovered by Rafael Schaefer working with ERNW GmbH.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.4.tar.gz

Changes

  • Bug #1276: ipv6 defrag issue with routing headers
  • Bug #1278: ssh banner parser issue
  • Bug #1254: sig parsing crash on malformed rev keyword
  • Bug #1267: issue with ipv6 logging
  • Bug #1273: Lua – http.request_line not working
  • Bug #1284: AF_PACKET IPS mode not logging drops and stream inline issue

Security

  • CVE-2014-6603

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.3 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0.3. This release fixes a number of issues in the 2.0 series. Most importantly, this release addresses a number of IPv6 issues that can lead to evasion. Bugs discovered by Rafael Schaefer working with ERNW GmbH.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.3.tar.gz

Changes

  • Bug #1236: fix potential crash in http parsing
  • Bug #1244: ipv6 defrag issue
  • Bug #1238: Possible evasion in stream-tcp-reassemble.c
  • Bug #1221: lowercase conversion table missing last value
  • Support #1207: Cannot compile on CentOS 5 x64 with –enable-profiling
  • Updated bundled libhtp to 0.5.15

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Rafael Schaefer working with ERNW GmbH
  • Antonios Atlasis working with ERNW GmbH
  • Alexander Gozman
  • sxhlinux
  • Ivan Ristic

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.2 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0.2. This release fixes a number of issues in the 2.0 series.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.2.tar.gz

Notable changes

  • IP defrag issue leading to evasion. Bug discovered by Antonios Atlasis working with ERNW GmbH
  • Support for NFLOG as a capture method. Nice work by Giuseppe Longo
  • DNS TXT parsing and logging. Funded by Emerging Threats
  • Log rotation through SIGHUP. Created by Jason Ish of Endace/Emulex

All closed tickets

  • Feature #781: IDS using NFLOG iptables target
  • Feature #1158: Parser DNS TXT data parsing and logging
  • Feature #1197: liblua support
  • Feature #1200: sighup for log rotation
  • Bug #1098: http_raw_uri with relative pcre parsing issue
  • Bug #1175: unix socket: valgrind warning
  • Bug #1189: abort() in 2.0dev (rev 6fbb955) with pf_ring 5.6.3
  • Bug #1195: nflog: cppcheck reports memleaks
  • Bug #1206: ZC pf_ring not working with Suricata 2.0.1 (or latest git)
  • Bug #1211: defrag issue
  • Bug #1212: core dump (after a while) when app-layer.protocols.http.enabled = yes
  • Bug #1214: Global Thresholds (sig_id 0, gid_id 0) not applied correctly if a signature has event vars
  • Bug #1217: Segfault in unix-manager.c line 529 when using –unix-socket and sending pcap files to be analized via socket

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Jason Ish — Endace/Emulex
  • Tom Decanio — nPulse
  • Antonios Atlasis working with ERNW GmbH
  • Alessandro Guido
  • Mats Klepsland
  • @rmkml
  • Luigi Sandon
  • Christie Bunlon
  • @42wim
  • Jeka Pats
  • Noam Meltzer
  • Ivan Ristic

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.1 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0.1. This release brings TLS Heartbleed detection and fixes a number of issues in the 2.0 release.  There were no changes since 2.0.1rc1.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.1.tar.gz

Notable changes

  • OpenSSL Heartbleed detection. Thanks to Pierre Chifflier and Will Metcalf
  • Fixed Unix Socket runmode
  • Fixed AF_PACKET IPS support

All closed tickets

  • Feature #1157: Always create pid file if –pidfile command line option is provided
  • Feature #1173: tls: OpenSSL heartbleed detection
  • Bug #978: clean up app layer parser thread local storage
  • Bug #1064: Lack of Thread Deinitialization For Decoder Modules
  • Bug #1101: Segmentation in AppLayerParserGetTxCnt
  • Bug #1136: negated app-layer-protocol FP on multi-TX flows
  • Bug #1141: dns response parsing issue
  • Bug #1142: dns tcp toclient protocol detection
  • Bug #1143: tls protocol detection in case of tls-alert
  • Bug #1144: icmpv6: unknown type events for MLD_* types
  • Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
  • Bug #1146: tls: event on ‘new session ticket’ in handshake
  • Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
  • Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
  • Bug #1161: eve: src and dst mixed up in some cases
  • Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
  • Bug #1163: HTP Segfault
  • Bug #1165: af_packet – one thread consistently not working
  • Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
  • Bug #1176: AF_PACKET IPS mode is broken in 2.0
  • Bug #1177: eve log do not show action ‘dropped’ just ‘allowed’
  • Bug #1180: Possible problem in stream tracking

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Jason Ish — Endace/Emulex
  • Tom Decanio — nPulse
  • Pierre Chifflier
  • Will Metcalf
  • Duarte Silva
  • Brad Roether
  • Christophe Vandeplas
  • Jason Jones
  • Jorgen Bohnsdalen
  • Fábio Depin
  • Gines Lopez
  • Ivan Ristic
  • Coverity

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.1rc1 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0.1rc1, the first (and hopefully only) release candidate for Suricata 2.0.1. This brings TLS Heartbleed detection and fixes a number of issues in the 2.0 release.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.1rc1.tar.gz

Notable changes

  • OpenSSL Heartbleed detection. Thanks to Pierre Chifflier and Will Metcalf
  • Fixed Unix Socket runmode
  • Fixed AF_PACKET IPS support

All closed tickets

  • Feature #1157: Always create pid file if –pidfile command line option is provided
  • Feature #1173: tls: OpenSSL heartbleed detection
  • Bug #978: clean up app layer parser thread local storage
  • Bug #1064: Lack of Thread Deinitialization For Decoder Modules
  • Bug #1101: Segmentation in AppLayerParserGetTxCnt
  • Bug #1136: negated app-layer-protocol FP on multi-TX flows
  • Bug #1141: dns response parsing issue
  • Bug #1142: dns tcp toclient protocol detection
  • Bug #1143: tls protocol detection in case of tls-alert
  • Bug #1144: icmpv6: unknown type events for MLD_* types
  • Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
  • Bug #1146: tls: event on ‘new session ticket’ in handshake
  • Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
  • Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
  • Bug #1161: eve: src and dst mixed up in some cases
  • Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
  • Bug #1163: HTP Segfault
  • Bug #1165: af_packet – one thread consistently not working
  • Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
  • Bug #1176: AF_PACKET IPS mode is broken in 2.0
  • Bug #1177: eve log do not show action ‘dropped’ just ‘allowed’
  • Bug #1180: Possible problem in stream tracking

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Jason Ish — Endace/Emulex
  • Tom Decanio — nPulse
  • Pierre Chifflier
  • Will Metcalf
  • Duarte Silva
  • Brad Roether
  • Christophe Vandeplas
  • Jason Jones
  • Jorgen Bohnsdalen
  • Fábio Depin
  • Gines Lopez
  • Ivan Ristic
  • Coverity

Known issues & missing features

This is a “release candidate”-quality release so the stability should be good although unexpected corner cases might happen. If you encounter one, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0. This release is a major improvement over the previous releases with regard to performance, scalability and accuracy. Also, a number of great features have been added.

The biggest new features of this release are the addition of “Eve”, our all JSON output for events: alerts, HTTP, DNS, SSH, TLS and (extracted) files; much improved VLAN handling; a detectionless ‘NSM’ runmode; much improved CUDA performance.

The Eve log allows for easy 3rd party integration. It has been created with Logstash in mind specifically and we have a quick setup guide here: Logstash_Kibana_and_Suricata_JSON_output

kibana300 kibana300map

Download

Get the new release here: https://www.openinfosecfoundation.org/download/suricata-2.0.tar.gz

Notable new features, improvements and changes

  • Eve log, all JSON event output for alerts, HTTP, DNS, SSH, TLS and files. Written by Tom Decanio of nPulse Technologies
  • NSM runmode, where detection engine is disabled. Development supported by nPulse Technologies
  • Various scalability improvements, clean ups and fixes by Ken Steel of Tilera
  • Add –set commandline option to override any YAML option, by Jason Ish of Emulex
  • Several fixes and improvements of AF_PACKET and PF_RING
  • ICMPv6 handling improvements by Jason Ish of Emulex
  • Alerting over PCIe bus (Tilera only), by Ken Steel of Tilera
  • Feature #792: DNS parser, logger and keyword support, funded by Emerging Threats
  • Feature #234: add option disable/enable individual app layer protocol inspection modules
  • Feature #417: ip fragmentation time out feature in yaml
  • Feature #1009: Yaml file inclusion support
  • Feature #478: XFF (X-Forwarded-For) support in Unified2
  • Feature #602: availability for http.log output – identical to apache log format
  • Feature #813: VLAN flow support
  • Feature #901: VLAN defrag support
  • Features #814, #953, #1102: QinQ VLAN handling
  • Feature #751: Add invalid packet counter
  • Feature #944: detect nic offloading
  • Feature #956: Implement IPv6 reject
  • Feature #775: libhtp 0.5.x support
  • Feature #470: Deflate support for HTTP response bodies
  • Feature #593: Lua flow vars and flow ints support
  • Feature #983: Provide rule support for specifying icmpv4 and icmpv6
  • Feature #1008: Optionally have http_uri buffer start with uri path for use in proxied environments
  • Feature #1032: profiling: per keyword stats
  • Feature #878: add storage api

Upgrading

The configuration file has evolved but backward compatibility is provided. We thus encourage you to update your suricata configuration file. Upgrade guidance is provided here: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_14_to_Suricata_20

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Tom DeCanio, nPulse
  • Ken Steele, Tilera
  • Jason Ish, Endace / Emulex
  • Duarte Silva
  • Giuseppe Longo
  • Ignacio Sanchez
  • Florian Westphal
  • Nelson Escobar, Myricom
  • Christian Kreibich, Lastline
  • Phil Schroeder, Emerging Threats
  • Luca Deri & Alfredo Cardigliano, ntop
  • Will Metcalf, Emerging Threats
  • Ivan Ristic, Qualys
  • Chris Wakelin
  • Francis Trudeau, Emerging Threats
  • Rmkml
  • Laszlo Madarassy
  • Alessandro Guido
  • Amin Latifi
  • Darrell Enns
  • Paolo Dangeli
  • Victor Serbu
  • Jack Flemming
  • Mark Ashley
  • Marc-Andre Heroux
  • Alessandro Guido
  • Petr Chmelar
  • Coverity

Known issues & missing features

If you encounter issues, please let us know!  As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0rc1 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0rc1. This is the first release candidate for Suricata 2.0. This release improves performance, stability and accuracy, in addition to adding exciting new features.

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0rc1.tar.gz

Notable changes

  • unified JSON output for almost all log types (eve-log). Written by Tom Decanio of nPulse Technologies
  • QinQ VLAN handling
  • Alerting over PCIe bus (Tilera only), by Ken Steel of Tilera
  • Add –set commandline option to override any YAML option, by Jason Ish of Emulex
  • Various scalability improvements, clean ups and fixes by Ken Steel of Tilera
  • ICMPv6 handling improvements by Jason Ish of Emulex
  • memcaps for DNS and HTTP handling were added
  • Several fixes and improvements of AF_PACKET and PF_RING
  • NSM runmode, where detection engine is disabled. Development supported by nPulse Technologies

All closed tickets

  • Feature #424: App layer registration cleanup – Support specifying same alproto names in rules for different ip protocols
  • Feature #542: TLS JSON output
  • Feature #597: case insensitive fileext match
  • Feature #772: JSON output for alerts
  • Feature #814: QinQ tag flow support
  • Feature #894: clean up output
  • Feature #921: Override conf parameters
  • Feature #1007: united output
  • Feature #1040: Suricata should compile with -Werror
  • Feature #1067: memcap for http inside suricata
  • Feature #1086: dns memcap
  • Feature #1093: stream: configurable segment pools
  • Feature #1102: Add a decoder.QinQ stats in stats.log
  • Feature #1105: Detect icmpv6 on ipv4
  • Bug #839: http events alert multiple times
  • Bug #954: VLAN decoder stats with AF Packet get written to the first thread only – stats.log
  • Bug #980: memory leak in http buffers at shutdown
  • Bug #1066: logger API’s for packet based logging and tx based logging
  • Bug #1068: format string issues with size_t + qa not catching them
  • Bug #1072: Segmentation fault in 2.0beta2: Custom HTTP log segmentation fault
  • Bug #1073: radix tree lookups are not thread safe
  • Bug #1075: CUDA 5.5 doesn’t compile with 2.0 beta 2
  • Bug #1079: Err loading rules with variables that contain negated content.
  • Bug #1080: segfault – 2.0dev (rev 6e389a1)
  • Bug #1081: 100% CPU utilization with suricata 2.0 beta2+
  • Bug #1082: af-packet vlan handling is broken
  • Bug #1103: stats.log not incrementing decoder.ipv4/6 stats when reading in QinQ packets
  • Bug #1104: vlan tagged fragmentation
  • Bug #1106: Git compile fails on Ubuntu Lucid
  • Bug #1107: flow timeout causes decoders to run on pseudo packets

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Jason Ish — Endace/Emulex
  • Tom Decanio — nPulse
  • Duarte Silva
  • Alessandro Guido
  • Petr Chmelar

Known issues & missing features

This is a “release candidate”-quality release so the stability should be good although unexpected corner cases might happen. If you encounter one, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0beta2 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0beta2.  This big update is the second beta release for the upcoming 2.0 version.

Some notable improvements are:

– This release overhauls the protocol detection feature. It now considers both sides of connection, and will raise events on mismatches.
– DNS parser and logger was much improved.
– Tilera support was greatly improved.
– Lots of performance and code quality improvements.

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0beta2.tar.gz

New features

  • Feature #234: add option disable/enable individual app layer protocol inspection modules
  • Feature #417: ip fragmentation time out feature in yaml
  • Feature #478: XFF (X-Forwarded-For) support in Unified2
  • Feature #602: availability for http.log output – identical to apache log format
  • Feature #751: Add invalid packet counter
  • Feature #813: VLAN flow support
  • Feature #901: VLAN defrag support
  • Feature #878: add storage api
  • Feature #944: detect nic offloading
  • Feature #956: Implement IPv6 reject
  • Feature #983: Provide rule support for specifying icmpv4 and icmpv6
  • Feature #1008: Optionally have http_uri buffer start with uri path for use in proxied environments
  • Feature #1009: Yaml file inclusion support
  • Feature #1032: profiling: per keyword stats

Improvements and Fixes

  • Bug #463: Suricata not fire on http reply detect if request are not http
  • Feature #986: set htp request and response size limits
  • Bug #895: response: rst packet bug
  • Feature #940: randomize http body chunks sizes
  • Feature #904: store tx id when generating an alert
  • Feature #752: Improve checksum detection algorithm
  • Feature #746: Decoding API modification
  • Optimization #1018: clean up counters api
  • Bug #907: icmp_seq and icmp_id keywords broken with icmpv6 traffic
  • Bug #967: threshold rule clobbers suppress rules
  • Bug #968: unified2 not logging tagged packets
  • Bug #995: tag keyword: tagging sessions per time is broken

Many more issues were fixed, please see: https://redmine.openinfosecfoundation.org/versions/51

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Jason Ish — Endace/Emulex
  • Duarte Silva
  • Giuseppe Longo
  • Ignacio Sanchez
  • Nelson Escobar — Myricom
  • Chris Wakelin
  • Emerging Threats
  • Coverity
  • Alessandro Guido
  • Amin Latifi
  • Darrell Enns
  • Ignacio Sanchez
  • Mark Ashley
  • Paolo Dangeli
  • rmkml
  • Will Metcalf

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know!

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.