Tag Archive | pcap

Suricata 4.1 released!

After a longer than intended release development cycle, the OISF development team is proud to present Suricata 4.1.

Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2. All of them have been implemented in Rust to ensure their introduction will not be compromising to the security and the stability of the complete system.

Support for tracking and logging TLS 1.3 has been added, including JA3 support.

On performance side, one of the main improvements is the availability of capture bypass for AF_PACKET implemented on top of the new eXpress Data Path (XDP) capability of Linux kernel. Windows users will benefit from the 4.1 release with a new IPS mode based on WinDivert.

All new protocols require Rust so Suricata 4.1 is not really 4.1 if you don’t have Rust. This is why the build system is now enabling Rust by default if it is available on the build machine.

This is the first release where Suricata-Update 1.0, the new Suricata rule updater, is bundled.

Protocol updates

  • SMBv1/2/3 parsing, logging, file extraction
  • TLS 1.3 parsing and logging (Mats Klepsland)
  • JA3 TLS client fingerprinting (Mats Klepsland)
  • TFTP: basic logging (Pascal Delalande and Clément Galland)
  • FTP: file extraction
  • Kerberos parser and logger (Pierre Chifflier)
  • IKEv2 parser and logger (Pierre Chifflier)
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • HTTP: handle sessions that only have a response, or start with a response
  • HTTP Flash file decompression support (Giuseppe Longo)

Output and logging

  • File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
  • Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
  • Eve: new more compact DNS record format (Giuseppe Longo)
  • Pcap directory mode: process all pcaps in a directory (Danny Browning)
  • Compressed PCAP logging (Max Fillinger)
  • Expanded XFF support (Maurizio Abba)
  • Community Flow Id support (common ID between Suricata and Bro/Zeek)

Packet Capture

  • AF_PACKET XDP and eBPF support for high speed packet capture
  • Windows IPS: WinDivert support (Jacob Masen-Smith)
  • PF_RING: usability improvements

Misc

  • Windows: MinGW is now supported
  • Detect: transformation keyword support
  • Bundled Suricata-Update
  • Per device multi-tenancy

Minor Changes since 4.1rc2

  • Coverity fixes and annotations
  • Update Suricata-Update to 1.0.0

Security

  • SMTP crash issue was fixed: CVE-2018-18956
  • Robustness of defrag against FragmentSmack was improved
  • Robustness of TCP reassembly against SegmentSmack was improved

Download

https://www.openinfosecfoundation.org/download/suricata-4.1.0.tar.gz

Get paid to work on Suricata!

Enjoying the testing? Or want to help out with other parts of the project?
We are looking for people, so reach out to us if you’re interested.

Special thanks

Mats Klepsland, Pierre Chifflier, Giuseppe Longo, Ralph Broenink, Danny Browning, Maurizio Abba, Pascal Delalande, Wolfgang Hotwagner, Jason Taylor, Jesper Dangaard Brouer, Alexander Gozman, Konstantin Klinger, Max Fillinger, Antoine LUONG, David DIALLO, Jacob Masen-Smith, Martin Natano, Ruslan Usmanov, Alfredo Cardigliano, Antti Tönkyrä, Brandon Sterne, Chris Speidel, Clément Galland, Dana Helwig, Daniel Humphries, Elazar Broad, Gaurav Singh, Hilko Bengen, Nick Price, Philippe Antoine, Renato Botelho, Thomas Andrejak, Paulo Pacheco, Henning Perl, Kirill Shipulin, Christian Kreibich, Tilli Juha-Matti.

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

The 2019 calendar of trainings will be out soon – check back here or follow us on Twitter (@OISFoundation) for all training announcements.

Suricon 2018

Suricon 2018 Vancouver is next week and it’s still possible to join! https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Call for testing: Suricata 4.1rc1 released

It’s summer, so an excellent time for some testing! Suricata 4.1 release candidate 1 is here to be tried out. The release brings a lot of new features.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.0-rc1.tar.gz

Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2, as well as improvements on Linux capture side via AF_PACKET XDP support and on Windows IPS side via WinDivert. The progress in Rust usage inside Suricata continues as most of the new protocols have been implemented in Rust.

We invite everyone to test this release and report your experiences to us.

Protocol updates

  • SMBv1/2/3 parsing, logging, file extraction
  • JA3 TLS client fingerprinting (Mats Klepsland)
  • TFTP: basic logging (Pascal Delalande and Clément Galland)
  • FTP: file extraction
  • Kerberos parser and logger (Pierre Chifflier)
  • IKEv2 parser and logger (Pierre Chifflier)
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • HTTP: handle sessions that only have a response, or start with a response
  • HTTP Flash file decompression support (Giuseppe Longo)

Output and logging

  • File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
  • Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
  • Eve: new more compact DNS record format (Giuseppe Longo)
  • Pcap directory mode: process all pcaps in a directory (Danny Browning)
  • Compressed PCAP logging (Max Fillinger)
  • Expanded XFF support (Maurizio Abba)

Packet Capture

  • AF_PACKET XDP and eBPF support for high speed packet capture
  • Windows IPS: WinDivert support (Jacob Masen-Smith)

Misc

  • Windows: MinGW is now supported
  • Detect: transformation keyword support
  • Bundled Suricata-Update

Major changes since 4.1beta1

  • WinDivert support
  • Kerberos parser and logger
  • IKEv2 parser and logger
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • Compressed PCAP logging
  • Expanded XFF support
  • Decode GRE over IP (Paulo Pacheco)
  • Multi-tenancy fixes
  • SMB improvements for midstream pickup
  • Update Suricata-Update to 1.0.0rc1

Security

CVE-2018-10242, CVE-2018-10244 (suricata)
CVE-2018-10243 (libhtp)

Get paid to work on Suricata!

Enjoying the testing? Or want to help out with other parts of the project?
We are looking for people, so reach out to us if you’re interested.

Special thanks

Henning Perl, Kirill Shipulin, Pierre Chifflier, Mats Klepsland, Max Fillinger, Alexander Gozman, Danny Browning, Giuseppe Longo, Maurizio Abba, Pascal Delalande, Chris Speidel, Elazar Broad, Jacob Masen-Smith, Renato Botelho, Paulo Pacheco, Jason Taylor

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

SuriCon

SuriCon 2018 Vancouver agenda is up! https://suricon.net/agenda-vancouver/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 4.0.4 available!

suri-400x400

We are pleased to announce Suricata 4.0.4.  This is a security update fixing a number of security issues, as well as a fair number of regular issues.

Security

CVE-2018-6794 was requested for issue #2440

Changes

  • Bug #2306: suricata 4 deadlocks during failed output log reopening
  • Bug #2361: rule reload hangup
  • Bug #2389: BUG_ON asserts in AppLayerIncFlowCounter (4.0.x)
  • Bug #2392: libhtp 0.5.26 (4.0.x)
  • Bug #2422: [4.0.3] af_packet: a leak that (possibly) breaks an inline channel
  • Bug #2438: various config parsing issues
  • Bug #2439: Fix timestamp offline when pcap timestamp is zero (4.0.x)
  • Bug #2440: stream engine bypass issue (4.0.x)
  • Bug #2441: der parser: bad input consumes cpu and memory (4.0.x)
  • Bug #2443: DNP3 memcpy buffer overflow (4.0.x)
  • Bug #2444: rust/dns: Core Dump with malformed traffic (4.0.x)
  • Bug #2445: http bodies / file_data: thread space creation writing out of bounds

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.4.tar.gz

Special thanks

Wolfgang Hotwagner, Kirill Shipulin, Pierre Chifflier, Alexander Gozman, Martin Natano, Maurizio Abba, Nick Price, Philippe Antoine, AFL

SuriCon 2018

Call for presentations is open and tickets for SuriCon 2018 are available: https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.2.3 available!

suri-400x400

We are pleased to announce Suricata 3.2.3. This release fixes a fairly small number of issues. The most important one is an issue we found using AFL in the DER/ASN1 parser. This has the potential to crash your Suricata instance.

Changes

  • Bug #2089: engine file logging race condition (3.2.x)
  • Bug #2173: openbsd: pcap with raw datalink not supported (3.2.x)
  • Bug #2178: asn1/der: stack overflow (3.2.x)
  • Bug #2179: Possible confusion or bypass within the stream engine with retransmits. (3.2.x)
  • Bug #2183: gcc 7.1.1 ‘format truncation’ compiler warnings (3.2.x)

Download

https://www.openinfosecfoundation.org/download/suricata-3.2.3.tar.gz

Special thanks

AFL project

Trainings

SuriCon 2017

Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be in November in Prague: https://suricon.net

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.10 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.10. This release fixes a number of important issues in the 2.0 series.

A number of other issues were fixed. Upgrading is highly recommended.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.10.tar.gz

Changes

  • Bug #1596: dns parser issue reported & fixed by Aaron Campbell
  • Bug #1554: stored: false in files log when files were actually stored
  • Feature #1581: support LINKTYPE_NULL

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Aaron Campbell
  • Giuseppe Longo
  • Greg Siemon

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. Paris in July, Barcelona in November: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.8 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.8. This release fixes a number of important issues in the 2.0 series.

The most important issue is a bug in the DER parser which is used to decode SSL/TLS certificates could crash Suricata. This issue was reported by Kostya Kortchinsky of the Google Security Team and was fixed by Pierre Chifflier of ANSSI.

Those processing large numbers of (untrusted) pcap files need to update as a malformed pcap could crash Suricata. Again, credits go to Kostya Kortchinsky.

A number of other issues were fixed. Upgrading is highly recommended.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.8.tar.gz

We have a new release key (the previous expired): http://www.openinfosecfoundation.org/download/OISF.pub (00C1B70D)

Changes

  • Bug #1450: tls parsing issue
  • Bug #1460: pcap parsing issue
  • Bug #1461: potential deadlock
  • Bug #1404: Alert-Debuglog not being rotated on SIGHUP
  • Bug #1420: inverted matching on incomplete session
  • Bug #1462: various issues in rule and yaml parsing

Security

The TLS/DER parsing issue has CVE-2015-0971 assigned to it.

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Kostya Kortchinsky of the Google Security Team
  • Pierre Chifflier of ANSSI
  • Sundar Jeyaraman of FireEye
  • Darien Huss — Emerging Threats
  • Alexander Gozman
  • AFL project
  • Coverity Scan

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. Paris in July, Barcelona in November: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.1beta1 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.1beta1. This is the first beta release for the upcoming 2.1 version. It should be considered a development snapshot for the 2.1 branch.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.1beta1.tar.gz

New Features

  • Feature #1248: flow/connection logging
  • Feature #1155 & #1208: Log packet payloads in eve alerts

Improvements

  • Optimization #1039: Packetpool should be a stack
  • Optimization #1241: pcap recording: record per thread
  • Feature #1258: json: include HTTP info with Alert output
  • AC matcher start up optimizations
  • BM matcher runtime optimizations by Ken Steele

Removals

  • ‘pcapinfo’ output was removed. Suriwire now works with the JSON ‘eve’ output

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Matt Carothers
  • Alexander Gozman
  • Giuseppe Longo
  • Duarte Silva
  • sxhlinux

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4beta3 Available for testing!

Photo by Eric LeblondThe OISF development team is proud to announce Suricata 1.4beta3. This is the third beta release for the upcoming 1.4 version.

This is release has significant improvements to the packet acquisition. The Napatech capture card support has been updated by our supporter Npulse. The Pcap, PF_RING and AF_PACKET capture methods now feature live drop stats.

Get the new release here: suricata-1.4beta3.tar.gz

New features

  • support for Napatech cards through their 3rd generation driver was added by Matt Keeler from Npulse (#430, #619)
  • support for pkt_data keyword was added
  • user and group to run as can now be set in the config file
  • make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
  • PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
  • add stream event to match on overlaps with different data in stream reassembly (#603)

Improvements

  • add contrib directory to the dist (#567)
  • performance improvements to signatures with dsize option
  • improved rule analyzer: print fast_pattern along with the rule (#558)
  • fixes to stream engine reducing the number of events generated (#604)
  • stream.inline option new defaults to “auto”, meaning enabled in IPS mode, disabled in IDS mode (#592)
  • HTTP handling in OOM condition was greatly improved (#557)
  • filemagic keyword performance was improved (#585)
  • updated bundled libhtp to 0.2.11
  • build system improvements and cleanups

Fixes

  • fixes and improvements to daemon mode (#624)
  • fix drop rules not working correctly when thresholded (#613)
  • fixed a possible FP when a regular and “chopped” fast_pattern were the same (#581)
  • fix a false possitive condition in http_header (#607)
  • fix inaccuracy in byte_jump keyword when using “from_beginning” option (#627)
  • fixes to rule profiling (#576)
  • cleanups and misc fixes (#379, #395)
  • fix to SSL record parsing

Credits

We’d like to thank the following people and corporations for their contributions and feedback:

  • Matt Keeler – Npulse
  • Chris Wakelin
  • Rmkml
  • Will Metcalf
  • Ivan Ristic
  • Kyle Creyts
  • Michael Hoffrath

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4beta2 Available for testing!

Photo by Eric LeblondThe OISF development team is proud to announce Suricata 1.4beta2. This is the second beta release for the upcoming 1.4 version.

The main addition of this release is a usable lua scripting keyword for detection: luajit. This keyword allows you to run Lua scripts as part of the detection engine, allowing inspection beyond what the rule language offers. While not cheap, performance is not bad at all due to use of the luajit engine.

This release also brings major performance enhancements. We’re able to get virtually packet loss free with AF_PACKET on our ISP test box with 6gbps-9gpbs of sustained traffic on commodity hardware with 7k rules.

Get the new release here: suricata-1.4beta2.tar.gz

New features

  • New keyword: “luajit” to inspect packet, payload and all HTTP buffers with a Lua script (#346)
  • Added ability to control per server HTTP parser settings in much more detail (#503)

Improvements

  • Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540)
  • Big performance improvement in inspecting decoder, stream and app layer events (#555)
  • Pool performance improvements (#541)
  • Improved performance of signatures with simple pattern setups (#577)
  • Bundled docs are installed upon make install (#527)
  • Support for a number of global vs rule thresholds was added (#425)
  • Improved rule profiling performance
  • If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded.

Fixes

  • Fix compilation on architectures other than x86 and x86_64 (#572)
  • Fix FP with anchored pcre combined with relative matching (#529)
  • Fix engine hanging instead of exitting if the pcap device doesn’t exist (#533)
  • Work around for potential FP, will get properly fixed in next release (#574)
  • Improve ERF handling. Thanks to Jason Ish
  • Always set cluster_id in PF_RING
  • IPFW: fix broken broadcast handling
  • AF_PACKET kernel offset issue, IPS fix and cleanup
  • Fix stream engine sometimes resending the same data to app layer
  • Fix multiple issues in HTTP multipart parsing
  • Fixed a lockup at shutdown with NFQ (#537)

Credits

We’d like to thank the following people and corporations for their contributions and feedback:

  • Jason Ish – Endace
  • Chris Wakelin
  • Rmkml

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.