Suricata 6.0.0rc1 ready for testing
We’re excited to announce the first release candidate for Suricata 6.0.
Please help us test this so we can release the final as planned at the end of the month.
Get the release here:
https://www.openinfosecfoundation.org/downloads/suricata-6.0.0-rc1.tar.gz
Major changes since beta1
– Geneve packet decoder was contributed
– DNS parsing and logging of SOA records was contributed
– HTTP parsing can now continue after data gaps
– datasets have been improved and will no longer be considered experimental
– HTTP/2 improvements
For an overview of what beta1 brought, see:
https://suricata-ids.org/2020/08/07/suricata-6-0-0-beta-1-released/
How you can help
We’re looking for feedback on how this release works in your environment. How easy the upgrade is, what performance looks like, etc. Report issues in our tickets or on the forum
Forum
Join our new Forum at https://forum.suricata.io/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.
Please help us test Suricata 5.0.0-rc1
We are looking for testers for a new development release in the Suricata 5 series: Suricata 5.0.0-rc1. Please help us test so we can release the final on October 15th.
Curious about whats new? Here are the highlights:
RDP, SNMP, FTP and SIP
Three new protocol parsers and loggers, both community contributions. Zach Kelley created a Rust RDP parser, while Giuseppe Longo created SIP support. Rust master Pierre Chifflier contributed SNMP support. Since RDP and SIP were merged late in our development cycle they are disabled by default in the configuration. For FTP we have added a EVE logging facility.
JA3S
After contributing JA3 support in Suricata 4.1, Mats Klepsland has been working on JA3S support. JA3S is now available to the rule language and in the TLS logging output.
eBPF/XDP
Eric Leblond has been working hard to getting hardware offload support working for eBPF. On Netronome cards the eBPF based flow bypass can now be offloaded to the NIC.
Datasets
Still experimental at this time, the initial work to support datasets is part of this release. It allows matching on large amounts of data. It is controlled from the rule language and will work with any ‘sticky buffer’. https://suricata.readthedocs.io/en/suricata-5.0.0-rc1/rules/datasets.html
HTTP evader
We’ve been working hard to cover the final set of HTTP evader cases. This work has mostly gone into the bundled libhtp 0.5.31.
More 5.0 changes
Please see the beta1 announcement for many more changes in the upcoming 5.0 release: https://suricata-ids.org/2019/04/30/call-for-testing-announcing-suricata-5-0-0-beta1/
For a complete list of closed tickets in 5.0.0-rc1, please see https://redmine.openinfosecfoundation.org/versions/128
Release schedule
This release has been delayed quite a bit. We had originally hoped to have it ready for you in July. This means that to get the final out before Suricon next month we have quite an aggressive schedule. We want to release the final no later than October 15th. We can use all the help we can get with testing and polishing to meet that goal. Thanks in advance!
Download from:
https://www.openinfosecfoundation.org/downloads/suricata-5.0.0-rc1.tar.gz
Call for testing: Suricata 4.1rc2 released
Suricata 4.1rc2 is ready for testing. We’re hoping that this will be the final release candidate so that 4.1 can be released just before Suricon next month.
Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos,FTP, DHCP, IKEv2, as well as improvements on Linux capture side via AF_PACKET XDP support and on Windows IPS side via WinDivert. The growth of Rust usage inside Suricata continues as most of the new protocols have been implemented in Rust.
Most important change for going from RC1 to RC2 is that we have enabled Rust support by default. If Rust is installed, it will be used.
Protocol updates
- SMBv1/2/3 parsing, logging, file extraction
- TLS 1.3 parsing and logging (Mats Klepsland)
- JA3 TLS client fingerprinting (Mats Klepsland)
- TFTP: basic logging (Pascal Delalande and Clément Galland)
- FTP: file extraction
- Kerberos parser and logger (Pierre Chifflier)
- IKEv2 parser and logger (Pierre Chifflier)
- DHCP parser and logger
- Flow tracking for ICMPv4
- Initial NFS4 support
- HTTP: handle sessions that only have a response, or start with a response
- HTTP Flash file decompression support (Giuseppe Longo)
Output and logging
- File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
- Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
- Eve: new more compact DNS record format (Giuseppe Longo)
- Pcap directory mode: process all pcaps in a directory (Danny Browning)
- Compressed PCAP logging (Max Fillinger)
- Expanded XFF support (Maurizio Abba)
- Community Flow Id support (common ID between Suricata and Bro/Zeek)
Packet Capture
- AF_PACKET XDP and eBPF support for high speed packet capture
- Windows IPS: WinDivert support (Jacob Masen-Smith)
Misc
- Windows: MinGW is now supported
- Detect: transformation keyword support
- Bundled Suricata-Update
- Per device multi-tenancy
Major changes since 4.1rc1
- Rust support is enabled by default
- Community Flow Id support (common ID between Suricata and Bro/Zeek)
- Updates and fixes for dealing with SegmentSmack/FragmentSmack
- Update Suricata-Update to 1.0.0rc2
Get paid to work on Suricata!
Enjoying the testing? Or want to help out with other parts of the project?
We are looking for people, so reach out to us if you’re interested.
Special thanks
Mats Klepsland, Jason Taylor, Maurizio Abba, Konstantin Klinger, Giuseppe Longo, Danny Browning, Hilko Bengen, Jacob Masen-Smith, Pascal Delalande, Travis Green, Christian Kreibich
Trainings
Check out the latest training offerings at https://suricata-ids.org/training/
SuriCon
SuriCon 2018 Vancouver next month, you can still join! https://suricon.net/agenda-vancouver/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Call for testing: Suricata 4.1rc1 released
It’s summer, so an excellent time for some testing! Suricata 4.1 release candidate 1 is here to be tried out. The release brings a lot of new features.
Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.0-rc1.tar.gz
Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2, as well as improvements on Linux capture side via AF_PACKET XDP support and on Windows IPS side via WinDivert. The progress in Rust usage inside Suricata continues as most of the new protocols have been implemented in Rust.
We invite everyone to test this release and report your experiences to us.
Protocol updates
- SMBv1/2/3 parsing, logging, file extraction
- JA3 TLS client fingerprinting (Mats Klepsland)
- TFTP: basic logging (Pascal Delalande and Clément Galland)
- FTP: file extraction
- Kerberos parser and logger (Pierre Chifflier)
- IKEv2 parser and logger (Pierre Chifflier)
- DHCP parser and logger
- Flow tracking for ICMPv4
- Initial NFS4 support
- HTTP: handle sessions that only have a response, or start with a response
- HTTP Flash file decompression support (Giuseppe Longo)
Output and logging
- File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
- Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
- Eve: new more compact DNS record format (Giuseppe Longo)
- Pcap directory mode: process all pcaps in a directory (Danny Browning)
- Compressed PCAP logging (Max Fillinger)
- Expanded XFF support (Maurizio Abba)
Packet Capture
- AF_PACKET XDP and eBPF support for high speed packet capture
- Windows IPS: WinDivert support (Jacob Masen-Smith)
Misc
- Windows: MinGW is now supported
- Detect: transformation keyword support
- Bundled Suricata-Update
Major changes since 4.1beta1
- WinDivert support
- Kerberos parser and logger
- IKEv2 parser and logger
- DHCP parser and logger
- Flow tracking for ICMPv4
- Initial NFS4 support
- Compressed PCAP logging
- Expanded XFF support
- Decode GRE over IP (Paulo Pacheco)
- Multi-tenancy fixes
- SMB improvements for midstream pickup
- Update Suricata-Update to 1.0.0rc1
Security
CVE-2018-10242, CVE-2018-10244 (suricata)
CVE-2018-10243 (libhtp)
Get paid to work on Suricata!
Enjoying the testing? Or want to help out with other parts of the project?
We are looking for people, so reach out to us if you’re interested.
Special thanks
Henning Perl, Kirill Shipulin, Pierre Chifflier, Mats Klepsland, Max Fillinger, Alexander Gozman, Danny Browning, Giuseppe Longo, Maurizio Abba, Pascal Delalande, Chris Speidel, Elazar Broad, Jacob Masen-Smith, Renato Botelho, Paulo Pacheco, Jason Taylor
Trainings
Check out the latest training offerings at https://suricata-ids.org/training/
SuriCon
SuriCon 2018 Vancouver agenda is up! https://suricon.net/agenda-vancouver/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 4.0.0-rc2 ready for testing!
We are proud to announce that the second release candidate for the upcoming Suricata 4.0.0 is ready for your testing.
We’re aiming for a final 4.0.0 release about 2 weeks from now. Please help us test!
Changes
- Feature #744: Teredo configuration
- Feature #1748: lua: expose tx in alert lua scripts
- Bug #1855: alert number output
- Bug #1888: noalert in a pass rule disables the rule
- Bug #1957: PCRE lowercase enforcement in http_host buffer does not allow for upper case in hex-encoding
- Bug #1958: Possible confusion or bypass within the stream engine with retransmits.
- Bug #2110: isdataat: keyword memleak
- Bug #2162: rust/nfs: reachable asserting rust panic
- Bug #2175: rust/nfs: panic – 4.0.0-dev (rev 7c25a2d)
- Bug #2176: gcc 7.1.1 ‘format truncation’ compiler warnings
- Bug #2177: asn1/der: stack overflow
Download
https://www.openinfosecfoundation.org/download/suricata-4.0.0-rc2.tar.gz
Special thanks
AFL project, Abdullah Ada
Trainings
- Developer Training in Cork, Ireland. September 11 to 15: https://www.eventbrite.com/e/5-day-suricata-developer-training-ireland-tickets-33676049972 Hosted by FireEye.
- User Training at SuriCon 2017, in Prague: https://www.eventbrite.com/e/2-day-suricata-training-suricon-2017-tickets-32303327121
SuriCon 2017
Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be in November in Prague: https://suricon.net
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 3.1RC1 is out!
We’re happy to announce Suricata 3.1RC1. The plan is to release the stable within a few weeks, so please help us test this release!
Lots of improvements on the performance side:
- Hyperscan integration for MPM and SPM. If installed, Hyperscan is now the default. See this guide.
- Rewrite of the detection engine, simplifying rule grouping. This reduces memory usage and startup time in many scenarios.
Packet capture got a lot of love:
- AF_PACKET support for tpacketv3
- NETMAP usability improvements, especially on FreeBSD
A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.
This release also bundles libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.
Other than that, lots of cleanups and optimizations:
- locking has been much simplified
- TCP and IPv6 decoder optimizations
- unittest cleanups
- AFL fuzzing options were added
Have a look at the full changelog: https://github.com/inliniac/suricata/blob/master/ChangeLog
Get the release here:
http://www.openinfosecfoundation.org/download/suricata-3.1RC1.tar.gz
Special thanks
Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan
Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich
Known issues & missing features
In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on. See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.
SuriCon 2.0
Join us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/
Training & Support
Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/
For support options also see https://suricata-ids.org/support/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Please help us test Suricata 3.0.1RC1
We’re hoping for your feedback on a new release: Suricata 3.0.1RC1. We’ve fixed many issues in 3.0, including important stability issues and memory leaks. A final is expected within a week or so.
Get the new release here: http://www.openinfosecfoundation.org/download/suricata-3.0.1RC1.tar.gz
New Features
– Feature #1535: Expose the certificate itself in TLS-lua
– Feature #1696: improve logged flow_id
– Feature #1700: enable “relro” and “now” in compile options for 3.0
– Feature #1734: gre: support transparent ethernet bridge decoding
– Feature #1740: Create counters for decode-events errors
– updated bundled libhtp to 0.5.19
Fixes
Many issues were fixed, including stability issues and many (potential) memory leaks.
Full list: https://redmine.openinfosecfoundation.org/versions/81
Special thanks
We’d like to thank the following people and corporations for their contributions and feedback:
FireEye, ANSSI, Emerging Threats / Proofpoint, Stamus Networks,
NorCert, Ntop, Lastline, AFL project, CoverityScan
Tom Decanio, Mats Klepsland, Alexander Gozman, Aleksey Katargin
Maurizio Abba, Alessandro Guido, David Diallo, Giuseppe Longo
Jon Zeolla, Andreas Moe, Nicolas Thill, Travis Green, bladeswords
Alfredo Cardigliano, Rob Mosher, Andre ten Bohmer
About Suricata
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://suricon.net
If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/
For support options also see https://suricata-ids.org/support/
Suricata 3.0RC3 Available!
We’re happy to announce Suricata 3.0RC3. RC3 fixes a few issues in RC2 that require some more testing. The plan is to release the stable quickly after the holidays, so please help us test this release!
Fixes:
- Bug #1632: Fail to download large file with browser
- Bug #1634: Fix non thread safeness of Prelude analyzer
- Bug #1640: drop log crashes
- Bug #1645: Race condition in unix manager
- Bug #1647: FlowGetKey flow-hash.c:240 segmentation fault (master)
- Bug #1650: DER parsing issue (master)
Get the release here:
http://www.openinfosecfoundation.org/download/suricata-3.0RC3.tar.gz
Known issues & missing features
In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on. See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.
About Suricata
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 3.0RC2 Available!
We’re happy to announce Suricata 3.0RC2. RC2 fixes a few issues in RC1 that require some more testing. The plan still is to release the stable within a few weeks, so please help us test this release!
Fixes:
- Bug #1551: –enable-profiling-locks broken
- Bug #1602: eve-log prefix field feature broken
- Bug #1614: app_proto key missing from EVE file events
- Bug #1615: disable modbus by default
- Bug #1616: TCP reassembly bug
- Bug #1617: DNS over TCP parsing issue
- Bug #1618: SMTP parsing issue
- Feature #1635: unified2 output: disable by default
Get the release here:
http://www.openinfosecfoundation.org/download/suricata-3.0RC2.tar.gz
Known issues & missing features
In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on. See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.
About Suricata
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 3.0RC1 Available!
We’re happy to announce Suricata 3.0RC1. This release replaces 2.1beta4 as the new development release. The plan is to release the stable within a few weeks, so please help us test this release!
Lots of improvements:
- Multi-tenancy for detection
- Big email logging update by Eric Leblond
- Work on Lua and JSON output for various protocols by Mats Klepsland
- Redis output support by Eric Leblond
- JSON output for stats, rules profiling
- Colorized output on the commandline
- Support for the base64_decode and base64_data keywords by Jason Ish
- TLS and DNS lua support
- file_data support for SMTP by Giuseppe Longo
- Support wild cards in rule loading by Alexander Gozman
Packet capture got a lot of love:
- PF_RING optimizations by Alfredo Cardigliano
- Netmap updates by Aleksey Katargin
- AF_PACKET updated by Eric Leblond
- DAG fixes by Stephen Donnelly
Other than that, lots of cleanups and optimizations:
- stateful detection overhaul
- stream engine updates
Get the release here:
http://www.openinfosecfoundation.org/download/suricata-3.0RC1.tar.gz
Special thanks
We’d like to thank the following people and corporations for their contributions and feedback:
- Alexander Gozman
- Mats Klepsland
- Giuseppe Longo
- Alfredo Cardigliano
- Aleksey Katargin
- Alessandro Guido
- Antti Tönkyrä
- Tom DeCanio
- Aaron Campbell
- DIALLO David
- David Cannings
- Helmut Schaa
- Jeff Barber
- Schnaffon
- Torgeir Natvig
- Zachary Rasmor
- Alexandre Macabies
- Stephen Donnelly
Known issues & missing features
In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on. See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.
About Suricata
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.