Tag Archive | performance

Suricata 3.1.1 released!

We’re proud to announce Suricata 3.1.1. This is a bug fix update for the 3.1 stable release.suri-400x400

Changes

  • Feature #1775: Lua: SMTP-support
  • Bug #1419: DNS transaction handling issues
  • Bug #1515: Problem with Threshold.config when using more than one IP
  • Bug #1664: Unreplied DNS queries not logged when flow is aged out
  • Bug #1808: Can’t set thread priority after dropping privileges
  • Bug #1821: Suricata 3.1 fails to start on CentOS6
  • Bug #1839: suricata 3.1 configure.ac says >=libhtp-0.5.5, but >=libhtp-0.5.20 required
  • Bug #1840: –list-keywords and –list-app-layer-protos not working
  • Bug #1841: libhtp 0.5.21
  • Bug #1844: netmap: IPS mode doesn’t set 2nd iface in promisc mode
  • Bug #1845: Crash on disabling a app-layer protocol when it’s logger is still enabled
  • Optimization #1846: af-packet: improve thread calculation logic
  • Optimization #1847: rules: don’t warn on empty files

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1.1.tar.gz

Special thanks

CoverityScan and the Casec Bachelors group: Lauritz Prag Sømme, Levi Tobiassen, Stian Hoel Bergseth, Vinjar Hillestad

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1 released!

We’re proud to announce Suricata 3.1.suri-400x400

This release brings significant improvements on the performance side:

  • Hyperscan integration for Multi Pattern Matcher and Single Pattern Matcher. If installed, Hyperscan is now the default.
  • Rewrite of the detection engine, simplifying rule grouping. This improves performance, while reducing memory usage and start up time in many scenarios.

Packet capture got a lot of attention:

  • AF_PACKET support for tpacket-v3 (experimental)
  • NETMAP usability improvements, especially on FreeBSD

Config:

  • Reorganised default configuration layout provides for intuitive and easy set up.

This release also comes with libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.

A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.

Other than that, lots of clean ups and optimizations:

  • locking has been much simplified
  • TCP and IPv6 decoder optimizations
  • unittest clean ups
  • AFL fuzz testing options were added

Have a look at the full change log

Changes since 3.1RC1

  • AF_PACKETv2 is the default as v3 is still experimental
  • NFQ runmode workers was fixed

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz

Special thanks

Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan

Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.0.1 released!

suri-400x400

We are pleased to announce Suricata 3.0.1. This release fixes many important issues in 3.0 and upgrading is highly recommended.

Highlights

– fixes for multiple stability issues
– many memory leak fixes
Hyperscan MPM support (experimental)

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-3.0.1.tar.gz

All Changes

For a complete list of closed tickets, please see:

3.0.1RC1 tickets
3.0.1 tickets

When upgrading from 3.0, please see these notes.

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

FireEye, Intel, ANSSI, Emerging Threats / Proofpoint, Stamus Networks,
NorCert, Ntop, Lastline, AFL project, CoverityScan

Justin Viiret, Tom Decanio, Mats Klepsland, Alexander Gozman,
Aleksey Katargin Maurizio Abba, Alessandro Guido, David Diallo,
Giuseppe Longo, Chris Wakelin, Jon Zeolla, Andreas Moe,
Nicolas Thill, Travis Green, bladeswords Alfredo Cardigliano,
Rob Mosher, Andrew Brown, Andre ten Bohmer

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://suricon.net

If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

Please help us test Suricata 3.0.1RC1

suri-400x400

We’re hoping for your feedback on a new release: Suricata 3.0.1RC1. We’ve fixed many issues in 3.0, including important stability issues and memory leaks. A final is expected within a week or so.

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-3.0.1RC1.tar.gz

New Features

– Feature #1535: Expose the certificate itself in TLS-lua
– Feature #1696: improve logged flow_id
– Feature #1700: enable “relro” and “now” in compile options for 3.0
– Feature #1734: gre: support transparent ethernet bridge decoding
– Feature #1740: Create counters for decode-events errors
– updated bundled libhtp to 0.5.19

Fixes

Many issues were fixed, including stability issues and many (potential) memory leaks.
Full list: https://redmine.openinfosecfoundation.org/versions/81

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:
FireEye, ANSSI, Emerging Threats / Proofpoint, Stamus Networks,
NorCert, Ntop, Lastline, AFL project, CoverityScan

Tom Decanio, Mats Klepsland, Alexander Gozman, Aleksey Katargin
Maurizio Abba, Alessandro Guido, David Diallo, Giuseppe Longo
Jon Zeolla, Andreas Moe, Nicolas Thill, Travis Green, bladeswords
Alfredo Cardigliano, Rob Mosher, Andre ten Bohmer

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://suricon.net

If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

Suricata 3.0 Available!

suri-400x400We’re proud to announce Suricata 3.0. This is a major new release improving Suricata on many fronts.

Download

http://www.openinfosecfoundation.org/download/suricata-3.0.tar.gz

Features and Improvements

  • improved detection options, including multi-tenancy and xbits
  • performance and scalability much improved
  • much improved accuracy and robustness
  • Lua scripting capabilities expanded significantly
  • many output improvements, including much more JSON
  • NETMAP capture method support, especially interesting to FreeBSD users
  • SMTP inspection and file extraction

For a full list of features added, please see:
https://redmine.openinfosecfoundation.org/versions/80

Upgrading

Upgrades from 2.0 to 3.0 should be mostly seamless. Here are some notes:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_20_to_Suricata_30

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

FireEye, ProtectWise, ANSSI, Emerging Threats /
Proofpoint, Stamus Networks, Ntop, AFL project, CoverityScan

Aaron Campbell, Aleksey Katargin, Alessandro Guido,
Alexander Gozman, Alexandre Macabies, Alfredo Cardigliano,
Andreas Moe, Anoop Saldanha, Antti Tönkyrä, Bill Meeks,
Darien Huss, David Abarbanel, David Cannings, David Diallo,
David Maciejak, Duarte Silva, Eduardo Arada, Giuseppe Longo,
Greg Siemon, Hayder Sinan, Helmut Schaa, Jason Ish,
Jeff Barber, Ken Steele, lessyv, Mark Webb-Johnson,
Mats Klepsland, Matt Carothers, Michael Rash, Nick Jones,
Pierre Chifflier, Ray Ruvinskiy, Samiux A, Schnaffon,
Stephen Donnelly, sxhlinux, Tom DeCanio, Torgeir Natvig,
Travis Green, Zachary Rasmor

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://oisfevents.net

If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

Suricata 3.0RC1 Available!

Photo by Eric Leblond

We’re happy to announce Suricata 3.0RC1. This release replaces 2.1beta4 as the new development release. The plan is to release the stable within a few weeks, so please help us test this release!

Lots of improvements:

  • Multi-tenancy for detection
  • Big email logging update by Eric Leblond
  • Work on Lua and JSON output for various protocols by Mats Klepsland
  • Redis output support by Eric Leblond
  • JSON output for stats, rules profiling
  • Colorized output on the commandline
  • Support for the base64_decode and base64_data keywords by Jason Ish
  • TLS and DNS lua support
  • file_data support for SMTP by Giuseppe Longo
  • Support wild cards in rule loading by Alexander Gozman

Packet capture got a lot of love:

  • PF_RING optimizations by Alfredo Cardigliano
  • Netmap updates by Aleksey Katargin
  • AF_PACKET updated by Eric Leblond
  • DAG fixes by Stephen Donnelly

Other than that, lots of cleanups and optimizations:

  • stateful detection overhaul
  • stream engine updates

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.0RC1.tar.gz

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Alexander Gozman
  • Mats Klepsland
  • Giuseppe Longo
  • Alfredo Cardigliano
  • Aleksey Katargin
  • Alessandro Guido
  • Antti Tönkyrä
  • Tom DeCanio
  • Aaron Campbell
  • DIALLO David
  • David Cannings
  • Helmut Schaa
  • Jeff Barber
  • Schnaffon
  • Torgeir Natvig
  • Zachary Rasmor
  • Alexandre Macabies
  • Stephen Donnelly

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.1beta4 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.1beta4. This is the fourth beta release for the upcoming 2.1 version. It should be considered a development snapshot for the 2.1 branch.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.1beta4.tar.gz

New Features

  • Feature #1448: xbits support
  • Feature #336: Add support for NETMAP to Suricata
  • Feature #885: smtp file_data support
  • Feature #1394: Improve TCP reuse support
  • Feature #1445: Suricata does not work on pfSense/FreeBSD interfaces using PPPoE
  • Feature #1447: Ability to reject ICMP traffic
  • Feature #1410: add alerts to EVE’s drop logs

Improvements

  • Optimization #1014: app layer reassembly fast-path
  • Optimization #1377: flow manager: reduce (try)locking
  • Optimization #1403: autofp packet pool performance problems
  • Optimization #1409: http pipeline support for stateful detection
  • Bug #1314: http-events performance issues

Bugs

  • Bug #1340: null ptr dereference in Suricata v2.1beta2
  • Bug #1352: file list is not cleaned up
  • Bug #1358: Gradual memory leak using reload (kill -USR2 $pid)
  • Bug #1366: Crash if default_packet_size is below 32 bytes
  • Bug #1378: stats api doesn’t call thread deinit funcs
  • Bug #1384: tcp midstream window issue (master)
  • Bug #1388: pcap-file hangs on systems w/o atomics support (master)
  • Bug #1392: http uri parsing issue (master)
  • Bug #1393: CentOS 5.11 build failures
  • Bug #1398: DCERPC traffic parsing issue (master)
  • Bug #1401: inverted matching on incomplete session
  • Bug #1402: When re-opening files on HUP (rotation) always use the append flag.
  • Bug #1417: no rules loaded – latest git – rev e250040
  • Bug #1425: dead lock in de_state vs flowints/flowvars
  • Bug #1426: Files prematurely truncated by detection engine even though force-md5 is enabled
  • Bug #1429: stream: last_ack update issue leading to stream gaps
  • Bug #1435: EVE-Log alert payload option loses data
  • Bug #1441: Local timestamps in json events
  • Bug #1446: Unit ID check in Modbus packet error
  • Bug #1449: smtp parsing issue
  • Bug #1451: Fix list-keywords regressions
  • Bug #1463: modbus parsing issue

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Kostya Kortchinsky of the Google Security Team
  • the Yahoo Pentest Team
  • Giuseppe Longo
  • Alexander Gozman
  • Ken Steele
  • Andreas Moe
  • David Diallo
  • David Cannings
  • David Maciejak
  • Pierre Chifflier
  • Tom DeCanio
  • Zachary Rasmor
  • Aleksey Katargin
  • FireEye
  • ANSSI
  • Emerging Threats
  • AFL project
  • Coverity Scan
  • Travis Green
  • Darien Huss
  • Greg Siemon
  • Alessandro Guido
  • Antti Tönkyrä
  • Ray Ruvinskiy
  • Eduardo Arada
  • Michael Rash

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. Paris in July, Barcelona in November: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.1beta3 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.1beta3. This is the third beta release for the upcoming 2.1 version. It should be considered a development snapshot for the 2.1 branch.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.1beta3.tar.gz

New Features

  • Feature #1309: Lua support for Stats output
  • Feature #1310: Modbus parsing and matching

Improvements

  • Optimization #1339: flow timeout optimization
  • Optimization #1371: mpm optimization
  • Feature #1317: Lua: Indicator for end of flow
  • Feature #1333: unix-socket: allow (easier) non-root usage
  • Feature #1261: Request for Additional Lua Capabilities

Bugs

  • Bug #977: WARNING on empty rules file is fatal (should not be)
  • Bug #1184: pfring: cppcheck warnings
  • Bug #1321: Flow memuse bookkeeping error
  • Bug #1327: pcre pkt/flowvar capture broken for non-relative matches (master)
  • Bug #1332: cppcheck: ioctl
  • Bug #1336: modbus: CID 1257762: Logically dead code (DEADCODE)
  • Bug #1351: output-json: duplicate logging (2.1.x)
  • Bug #1354: coredumps on quitting on OpenBSD
  • Bug #1355: Bus error when reading pcap-file on OpenBSD
  • Bug #1363: Suricata does not compile on OS X/Clang due to redefinition of string functions (2.1.x)
  • Bug #1365: evasion issues (2.1.x)

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera/EZchip
  • David Diallo
  • Duarte Silva
  • Giuseppe Longo
  • Jason Ish
  • Travis Green — Emerging Threats

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4beta2 Available for testing!

Photo by Eric LeblondThe OISF development team is proud to announce Suricata 1.4beta2. This is the second beta release for the upcoming 1.4 version.

The main addition of this release is a usable lua scripting keyword for detection: luajit. This keyword allows you to run Lua scripts as part of the detection engine, allowing inspection beyond what the rule language offers. While not cheap, performance is not bad at all due to use of the luajit engine.

This release also brings major performance enhancements. We’re able to get virtually packet loss free with AF_PACKET on our ISP test box with 6gbps-9gpbs of sustained traffic on commodity hardware with 7k rules.

Get the new release here: suricata-1.4beta2.tar.gz

New features

  • New keyword: “luajit” to inspect packet, payload and all HTTP buffers with a Lua script (#346)
  • Added ability to control per server HTTP parser settings in much more detail (#503)

Improvements

  • Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540)
  • Big performance improvement in inspecting decoder, stream and app layer events (#555)
  • Pool performance improvements (#541)
  • Improved performance of signatures with simple pattern setups (#577)
  • Bundled docs are installed upon make install (#527)
  • Support for a number of global vs rule thresholds was added (#425)
  • Improved rule profiling performance
  • If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded.

Fixes

  • Fix compilation on architectures other than x86 and x86_64 (#572)
  • Fix FP with anchored pcre combined with relative matching (#529)
  • Fix engine hanging instead of exitting if the pcap device doesn’t exist (#533)
  • Work around for potential FP, will get properly fixed in next release (#574)
  • Improve ERF handling. Thanks to Jason Ish
  • Always set cluster_id in PF_RING
  • IPFW: fix broken broadcast handling
  • AF_PACKET kernel offset issue, IPS fix and cleanup
  • Fix stream engine sometimes resending the same data to app layer
  • Fix multiple issues in HTTP multipart parsing
  • Fixed a lockup at shutdown with NFQ (#537)

Credits

We’d like to thank the following people and corporations for their contributions and feedback:

  • Jason Ish – Endace
  • Chris Wakelin
  • Rmkml

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.