Tag Archive | ipv6

Suricata 1.4.7 released!

Photo by Eric LeblondThe OISF development team is pleased to announce Suricata 1.4.7. This is a small update over the 1.4.6 release.

Get the new release here: suricata-1.4.7.tar.gz

Fixes

  • Bug #996: tag keyword: tagging sessions per time is broken
  • Bug #1000: delayed detect inits thresholds before de_ctx
  • Bug #1001: ip_rep loading problem with multiple values for a single ip
  • Bug #1022: StreamTcpPseudoPacketSetupHeader : port swap logic isn’t consistent
  • Bug #1047: detect-engine.profile – custom value parsing broken
  • Bug #1063: rule ordering with multiple vars

Special thanks

  • Duane Howard
  • Mark Ashley
  • Amin Latifi

Known issues & missing features

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4.6 released!

Photo by Eric LeblondThe OISF development team is pleased to announce Suricata 1.4.6. This is a small but important update over the 1.4.5 release, addressing some important issues.

Get the new release here: suricata-1.4.6.tar.gz

Fixes

  • Bug 958: malformed SSL records leading to crash. Reported by Sebastian Roschke. CVE-2013-5919.
  • Bug 971: AC pattern matcher out of bounds memory read.
  • Bug 965: improve negated content handling. Reported by Will Metcalf.
  • Bug 937: fix IPv6-in-IPv6 decoding.
  • Bug 934: improve address parsing.
  • Bug 969: fix unified2 not logging tagged packets.

Special thanks

  • Sebastian Roschke
  • Will Metcalf

Security

  • CVE-2013-5919

Known issues & missing features

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4.5 released!

Photo by Eric LeblondThe OISF development team is pleased to announce Suricata 1.4.5. This is a small but important update over the 1.4.4 release, fixing some important bugs.

Get the new release here: suricata-1.4.5.tar.gz

Fixes

  • Bug #908: ipv6 extension header parsing issue causing Suricata to hang
  • Bug #906: icmp_seq and icmp_id keyword with icmpv6 traffic FP & FN

Special thanks

  • Prabhakaran Kasinathan

Known issues & missing features

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4.1 released!

Photo by Eric LeblondThe OISF development team is proud to announce Suricata 1.4.1. This is a major update over the 1.4 release, adding some exiting features, many improvements and fixing some important bugs.

Get the new release here: suricata-1.4.1.tar.gz

The most interesting new feature is the GeoIP support. Great contribution by Ignacio Sanchez. It adds “geoip” rule keyword that allows you to match on source of destination of a packet per country.

New features

  • GeoIP keyword, allowing matching on Maxmind’s database, contributed by Ignacio Sanchez (#559)
  • Introduce http_host and http_raw_host keywords (#733, #743)
  • Add python module for interacting with unix socket (#767)
  • Add new unix socket commands: fetching config, counters, basic runtime info (#764, #765)

Improvements

  • Big Napatech support update by Matt Keeler
  • Configurable sensor id in unified2 output, contributed by Jake Gionet (#667)
  • FreeBSD IPFW fixes by Nikolay Denev
  • Add “default” interface setting to capture configuration in yaml (#679)
  • Make sure “snaplen” can be set by the user (#680)
  • Improve HTTP URI query string normalization (#739)
  • Improved error reporting in MD5 loading (#693)
  • Improve reference.config parser error reporting (#737)
  • Improve build info output to include all configure options (#738)

Fixes

  • Segfault in TLS parsing reported by Charles Smutz (#725)
  • Fix crash in teredo decoding, reported by Rmkml (#736)
  • fixed UDPv4 packets without checksum being detected as invalid (#760)
  • fixed DCE/SMB parsers getting confused in some fragmented cases (#764)
  • parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#697)
  • FN: IP-only rule ip_proto not matching for some protocols (#689)
  • Fix build failure with other libhtp installs (#688)
  • Fix malformed yaml loading leading to a crash (#694)
  • Various Mac OS X fixes (#700, #701, #703)
  • Fix for autotools on Mac OS X by Jason Ish (#704)
  • Fix AF_PACKET under high load not updating stats (#706)

Special thanks

  • Ignacio Sanchez
  • Matt Keeler — nPulse
  • Jake Gionet
  • Nikolay Denev
  • Jason Ish — Endace
  • Jamie Strandboge
  • Charles Smutz
  • Rmkml

Known issues & missing features

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.3.6 available!

The OISF development team is pleased to announce Suricata 1.3.6. This the last maintenance release of Suricata 1.3 with some important fixes.

Because of the fixes below, upgrading is highly recommended.

Download: http://www.openinfosecfoundation.org/download/suricata-1.3.6.tar.gz

Fixes

  • fix decoder event rules not checked in all cases (#671)
  • checksum detection for icmpv6 was fixed (#673)
  • crash in HTTP server body inspection code fixed (#675)
  • fixed a icmpv6 payload bug (#676)
  • IP-only rule ip_proto not matching for some protocols was addressed (#690)
  • fixed malformed yaml crashing suricata (#702)
  • parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#717)
  • crash in tls parser was fixed (#759)
  • fixed UDPv4 packets without checksum being detected as invalid (#762)
  • fixed DCE/SMB parsers getting confused in some fragmented cases (#763)

Special thanks

  • Jamie Strandboge

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See http://redmine.openinfosecfoundation.org/projects/suricata/issues for an up to date list and to report new issues. See http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4 released!

Photo by Eric LeblondThe OISF development team is proud to announce Suricata 1.4. This release is a major improvement over the previous releases with regard to performance, scalability and accuracy. Also, a number of great features have been added.

Get the new release here: suricata-1.4.tar.gz

The biggest new features of this release are the Unix Socket support, IP Reputation support and the addition of the Luajit keyword. Each of these new features are still in active development, and should be approached with some care.

The 1.4 release improves performance and scalability a lot. The IP Defrag engine was rewritten to scale better, various packet acquisition methods were improved and various parts of the detection engine were optimized further.

The configuration file has evolved but backward compatibility is provided. We thus encourage you to update your suricata configuration file. Upgrade guidance is provided here: Upgrading_Suricata_13_to_Suricata_14

New features

  • Unix socket mode for batched processing of series of pcap (#571, #552) (experimental)
  • Interaction with Suricata via uix socket (#571, #552) (experimental)
  • IP Reputation: loading and matching (#647) (experimental)
  • New keyword: “luajit” to inspect packet, payload and all HTTP buffers with a Lua script (#346) (experimental)
  • Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
  • Support for pkt_data keyword was added (#423)
  • Improved –list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)
  • User and group to run as can now be set in the config file
  • Add stream event to match on overlaps with different data in stream reassembly (#603)
  • Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
  • Rules can be set to inspect only IPv4 or IPv6 (#494)
  • Added ability to control per server HTTP parser settings in much more detail (#503)
  • Make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
  • Filesize keyword for matching on sizes of files in HTTP (#489)
  • Custom HTTP logging contributed by Ignacio Sanchez (#530)
  • TLS certificate logging and fingerprint computation and keyword by Jean-Paul Roliers (#443)
  • TLS certificate store to disk feature Jean-Paul Roliers (#444)
  • AF_PACKET IPS support (#516)
  • NFQ fail open support (#507)
  • PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
  • Support for Napatech cards through their 3rd generation driver was added by Matt Keeler from Npulse (#430, #619)
  • Endace support improved
  • New runmode for users of pcap wrappers (Myricom, PF_RING, others)

Improvements

  • Add contrib directory to the dist (#567)
  • Performance improvements to signatures with dsize option
  • Improved rule analyzer: print fast_pattern along with the rule (#558)
  • Fixes to stream engine reducing the number of events generated (#604)
  • Stream.inline option new defaults to “auto”, meaning enabled in IPS mode, disabled in IDS mode (#592)
  • HTTP handling in OOM condition was greatly improved (#557)
  • Filemagic keyword performance was improved (#585)
  • Updated bundled libhtp to 0.2.11
  • Build system improvements and cleanups
  • Live reloads now supports HTTP rule updates better (#522)
  • AF_PACKET performance improvements (#197, #415)
  • Make defrag more configurable (#517, #528)
  • Improve pool performance (#518)
  • Improve file inspection keywords by adding a separate API (#531)
  • Example threshold.config file provided (#302)

Changes since 1.4rc1

  • Decoder event matching fixed (#672)
  • Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#665)
  • Add more events to IPv6 extension header anomolies (#678)
  • Fix ICMPv6 payload and checksum calculation (#677, #674)
  • Clean up flow timeout handling (#656)
  • Fix a shutdown bug when using AF_PACKET under high load (#653)
  • Fix TCP sessions being cleaned up to early (#652)

Credits

  • Jason Ish — Endace
  • Ludovico Cavedon — Lastline
  • Last G
  • Matt Keeler — Npulse
  • Chris Wakelin
  • Will Metcalf
  • Ivan Ristic
  • Kyle Creyts
  • Michael Hoffrath
  • Rmkml
  • Jean-Paul Roliers
  • Ignacio Sanchez
  • Michel Saborde
  • Simon Moon
  • Coverity

Known issues & missing features

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4beta1 released

The OISF development team is proud to announce Suricata 1.4beta1. This is the first beta release for the upcoming 1.4 version. It is the result of major effort by the OISF team with significant help from community contributors Ignacio Sanchez and Simon Moon.

Get the new release here: suricata-1.4beta1.tar.gz

New features

– Custom HTTP logging contributed by Ignacio Sanchez (#530)
– TLS certificate logging and fingerprint computation and keyword by Jean-Paul Roliers (#443)
– TLS certificate store to disk feature Jean-Paul Roliers (#444)
– Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
– AF_PACKET IPS support (#516)
– Rules can be set to inspect only IPv4 or IPv6 (#494)
– filesize keyword for matching on sizes of files in HTTP (#489)
– Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
– NFQ fail open support (#507)
– Highly experimental lua scripting support for detection

Improvements

– Live reloads now supports HTTP rule updates better (#522)
– AF_PACKET performance improvements (#197, #415)
– Make defrag more configurable (#517, #528)
– Improve pool performance (#518)
– Improve file inspection keywords by adding a separate API (#531)
– Example threshold.config file provided (#302)

Fixes

– Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
– Various spelling corrections by Simon Moon (#533)

Credits

We’d like to thank the following people and corporations for their contributions and feedback:

Jean-Paul Roliers
Ignacio Sanchez
Michel Saborde
Simon Moon
Coverity

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See Issues for an up to date list and to report new issues. See Known issues for a discussion and time line for the major issues.