Tag Archive | pcap

Suricata 3.2.3 available!

suri-400x400

We are pleased to announce Suricata 3.2.3. This release fixes a fairly small number of issues. The most important one is an issue we found using AFL in the DER/ASN1 parser. This has the potential to crash your Suricata instance.

Changes

  • Bug #2089: engine file logging race condition (3.2.x)
  • Bug #2173: openbsd: pcap with raw datalink not supported (3.2.x)
  • Bug #2178: asn1/der: stack overflow (3.2.x)
  • Bug #2179: Possible confusion or bypass within the stream engine with retransmits. (3.2.x)
  • Bug #2183: gcc 7.1.1 ‘format truncation’ compiler warnings (3.2.x)

Download

https://www.openinfosecfoundation.org/download/suricata-3.2.3.tar.gz

Special thanks

AFL project

Trainings

SuriCon 2017

Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be in November in Prague: https://suricon.net

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.10 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.10. This release fixes a number of important issues in the 2.0 series.

A number of other issues were fixed. Upgrading is highly recommended.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.10.tar.gz

Changes

  • Bug #1596: dns parser issue reported & fixed by Aaron Campbell
  • Bug #1554: stored: false in files log when files were actually stored
  • Feature #1581: support LINKTYPE_NULL

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Aaron Campbell
  • Giuseppe Longo
  • Greg Siemon

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. Paris in July, Barcelona in November: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.8 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.8. This release fixes a number of important issues in the 2.0 series.

The most important issue is a bug in the DER parser which is used to decode SSL/TLS certificates could crash Suricata. This issue was reported by Kostya Kortchinsky of the Google Security Team and was fixed by Pierre Chifflier of ANSSI.

Those processing large numbers of (untrusted) pcap files need to update as a malformed pcap could crash Suricata. Again, credits go to Kostya Kortchinsky.

A number of other issues were fixed. Upgrading is highly recommended.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.8.tar.gz

We have a new release key (the previous expired): http://www.openinfosecfoundation.org/download/OISF.pub (00C1B70D)

Changes

  • Bug #1450: tls parsing issue
  • Bug #1460: pcap parsing issue
  • Bug #1461: potential deadlock
  • Bug #1404: Alert-Debuglog not being rotated on SIGHUP
  • Bug #1420: inverted matching on incomplete session
  • Bug #1462: various issues in rule and yaml parsing

Security

The TLS/DER parsing issue has CVE-2015-0971 assigned to it.

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Kostya Kortchinsky of the Google Security Team
  • Pierre Chifflier of ANSSI
  • Sundar Jeyaraman of FireEye
  • Darien Huss — Emerging Threats
  • Alexander Gozman
  • AFL project
  • Coverity Scan

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. Paris in July, Barcelona in November: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.1beta1 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.1beta1. This is the first beta release for the upcoming 2.1 version. It should be considered a development snapshot for the 2.1 branch.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.1beta1.tar.gz

New Features

  • Feature #1248: flow/connection logging
  • Feature #1155 & #1208: Log packet payloads in eve alerts

Improvements

  • Optimization #1039: Packetpool should be a stack
  • Optimization #1241: pcap recording: record per thread
  • Feature #1258: json: include HTTP info with Alert output
  • AC matcher start up optimizations
  • BM matcher runtime optimizations by Ken Steele

Removals

  • ‘pcapinfo’ output was removed. Suriwire now works with the JSON ‘eve’ output

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Matt Carothers
  • Alexander Gozman
  • Giuseppe Longo
  • Duarte Silva
  • sxhlinux

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4beta3 Available for testing!

Photo by Eric LeblondThe OISF development team is proud to announce Suricata 1.4beta3. This is the third beta release for the upcoming 1.4 version.

This is release has significant improvements to the packet acquisition. The Napatech capture card support has been updated by our supporter Npulse. The Pcap, PF_RING and AF_PACKET capture methods now feature live drop stats.

Get the new release here: suricata-1.4beta3.tar.gz

New features

  • support for Napatech cards through their 3rd generation driver was added by Matt Keeler from Npulse (#430, #619)
  • support for pkt_data keyword was added
  • user and group to run as can now be set in the config file
  • make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
  • PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
  • add stream event to match on overlaps with different data in stream reassembly (#603)

Improvements

  • add contrib directory to the dist (#567)
  • performance improvements to signatures with dsize option
  • improved rule analyzer: print fast_pattern along with the rule (#558)
  • fixes to stream engine reducing the number of events generated (#604)
  • stream.inline option new defaults to “auto”, meaning enabled in IPS mode, disabled in IDS mode (#592)
  • HTTP handling in OOM condition was greatly improved (#557)
  • filemagic keyword performance was improved (#585)
  • updated bundled libhtp to 0.2.11
  • build system improvements and cleanups

Fixes

  • fixes and improvements to daemon mode (#624)
  • fix drop rules not working correctly when thresholded (#613)
  • fixed a possible FP when a regular and “chopped” fast_pattern were the same (#581)
  • fix a false possitive condition in http_header (#607)
  • fix inaccuracy in byte_jump keyword when using “from_beginning” option (#627)
  • fixes to rule profiling (#576)
  • cleanups and misc fixes (#379, #395)
  • fix to SSL record parsing

Credits

We’d like to thank the following people and corporations for their contributions and feedback:

  • Matt Keeler – Npulse
  • Chris Wakelin
  • Rmkml
  • Will Metcalf
  • Ivan Ristic
  • Kyle Creyts
  • Michael Hoffrath

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4beta2 Available for testing!

Photo by Eric LeblondThe OISF development team is proud to announce Suricata 1.4beta2. This is the second beta release for the upcoming 1.4 version.

The main addition of this release is a usable lua scripting keyword for detection: luajit. This keyword allows you to run Lua scripts as part of the detection engine, allowing inspection beyond what the rule language offers. While not cheap, performance is not bad at all due to use of the luajit engine.

This release also brings major performance enhancements. We’re able to get virtually packet loss free with AF_PACKET on our ISP test box with 6gbps-9gpbs of sustained traffic on commodity hardware with 7k rules.

Get the new release here: suricata-1.4beta2.tar.gz

New features

  • New keyword: “luajit” to inspect packet, payload and all HTTP buffers with a Lua script (#346)
  • Added ability to control per server HTTP parser settings in much more detail (#503)

Improvements

  • Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540)
  • Big performance improvement in inspecting decoder, stream and app layer events (#555)
  • Pool performance improvements (#541)
  • Improved performance of signatures with simple pattern setups (#577)
  • Bundled docs are installed upon make install (#527)
  • Support for a number of global vs rule thresholds was added (#425)
  • Improved rule profiling performance
  • If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded.

Fixes

  • Fix compilation on architectures other than x86 and x86_64 (#572)
  • Fix FP with anchored pcre combined with relative matching (#529)
  • Fix engine hanging instead of exitting if the pcap device doesn’t exist (#533)
  • Work around for potential FP, will get properly fixed in next release (#574)
  • Improve ERF handling. Thanks to Jason Ish
  • Always set cluster_id in PF_RING
  • IPFW: fix broken broadcast handling
  • AF_PACKET kernel offset issue, IPS fix and cleanup
  • Fix stream engine sometimes resending the same data to app layer
  • Fix multiple issues in HTTP multipart parsing
  • Fixed a lockup at shutdown with NFQ (#537)

Credits

We’d like to thank the following people and corporations for their contributions and feedback:

  • Jason Ish – Endace
  • Chris Wakelin
  • Rmkml

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.