Call for testing: Suricata 4.1rc2 released
Suricata 4.1rc2 is ready for testing. We’re hoping that this will be the final release candidate so that 4.1 can be released just before Suricon next month.
Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos,FTP, DHCP, IKEv2, as well as improvements on Linux capture side via AF_PACKET XDP support and on Windows IPS side via WinDivert. The growth of Rust usage inside Suricata continues as most of the new protocols have been implemented in Rust.
Most important change for going from RC1 to RC2 is that we have enabled Rust support by default. If Rust is installed, it will be used.
Protocol updates
- SMBv1/2/3 parsing, logging, file extraction
- TLS 1.3 parsing and logging (Mats Klepsland)
- JA3 TLS client fingerprinting (Mats Klepsland)
- TFTP: basic logging (Pascal Delalande and Clément Galland)
- FTP: file extraction
- Kerberos parser and logger (Pierre Chifflier)
- IKEv2 parser and logger (Pierre Chifflier)
- DHCP parser and logger
- Flow tracking for ICMPv4
- Initial NFS4 support
- HTTP: handle sessions that only have a response, or start with a response
- HTTP Flash file decompression support (Giuseppe Longo)
Output and logging
- File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
- Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
- Eve: new more compact DNS record format (Giuseppe Longo)
- Pcap directory mode: process all pcaps in a directory (Danny Browning)
- Compressed PCAP logging (Max Fillinger)
- Expanded XFF support (Maurizio Abba)
- Community Flow Id support (common ID between Suricata and Bro/Zeek)
Packet Capture
- AF_PACKET XDP and eBPF support for high speed packet capture
- Windows IPS: WinDivert support (Jacob Masen-Smith)
Misc
- Windows: MinGW is now supported
- Detect: transformation keyword support
- Bundled Suricata-Update
- Per device multi-tenancy
Major changes since 4.1rc1
- Rust support is enabled by default
- Community Flow Id support (common ID between Suricata and Bro/Zeek)
- Updates and fixes for dealing with SegmentSmack/FragmentSmack
- Update Suricata-Update to 1.0.0rc2
Get paid to work on Suricata!
Enjoying the testing? Or want to help out with other parts of the project?
We are looking for people, so reach out to us if you’re interested.
Special thanks
Mats Klepsland, Jason Taylor, Maurizio Abba, Konstantin Klinger, Giuseppe Longo, Danny Browning, Hilko Bengen, Jacob Masen-Smith, Pascal Delalande, Travis Green, Christian Kreibich
Trainings
Check out the latest training offerings at https://suricata-ids.org/training/
SuriCon
SuriCon 2018 Vancouver next month, you can still join! https://suricon.net/agenda-vancouver/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Call for testing: Suricata 4.1rc1 released
It’s summer, so an excellent time for some testing! Suricata 4.1 release candidate 1 is here to be tried out. The release brings a lot of new features.
Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.0-rc1.tar.gz
Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2, as well as improvements on Linux capture side via AF_PACKET XDP support and on Windows IPS side via WinDivert. The progress in Rust usage inside Suricata continues as most of the new protocols have been implemented in Rust.
We invite everyone to test this release and report your experiences to us.
Protocol updates
- SMBv1/2/3 parsing, logging, file extraction
- JA3 TLS client fingerprinting (Mats Klepsland)
- TFTP: basic logging (Pascal Delalande and Clément Galland)
- FTP: file extraction
- Kerberos parser and logger (Pierre Chifflier)
- IKEv2 parser and logger (Pierre Chifflier)
- DHCP parser and logger
- Flow tracking for ICMPv4
- Initial NFS4 support
- HTTP: handle sessions that only have a response, or start with a response
- HTTP Flash file decompression support (Giuseppe Longo)
Output and logging
- File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
- Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
- Eve: new more compact DNS record format (Giuseppe Longo)
- Pcap directory mode: process all pcaps in a directory (Danny Browning)
- Compressed PCAP logging (Max Fillinger)
- Expanded XFF support (Maurizio Abba)
Packet Capture
- AF_PACKET XDP and eBPF support for high speed packet capture
- Windows IPS: WinDivert support (Jacob Masen-Smith)
Misc
- Windows: MinGW is now supported
- Detect: transformation keyword support
- Bundled Suricata-Update
Major changes since 4.1beta1
- WinDivert support
- Kerberos parser and logger
- IKEv2 parser and logger
- DHCP parser and logger
- Flow tracking for ICMPv4
- Initial NFS4 support
- Compressed PCAP logging
- Expanded XFF support
- Decode GRE over IP (Paulo Pacheco)
- Multi-tenancy fixes
- SMB improvements for midstream pickup
- Update Suricata-Update to 1.0.0rc1
Security
CVE-2018-10242, CVE-2018-10244 (suricata)
CVE-2018-10243 (libhtp)
Get paid to work on Suricata!
Enjoying the testing? Or want to help out with other parts of the project?
We are looking for people, so reach out to us if you’re interested.
Special thanks
Henning Perl, Kirill Shipulin, Pierre Chifflier, Mats Klepsland, Max Fillinger, Alexander Gozman, Danny Browning, Giuseppe Longo, Maurizio Abba, Pascal Delalande, Chris Speidel, Elazar Broad, Jacob Masen-Smith, Renato Botelho, Paulo Pacheco, Jason Taylor
Trainings
Check out the latest training offerings at https://suricata-ids.org/training/
SuriCon
SuriCon 2018 Vancouver agenda is up! https://suricon.net/agenda-vancouver/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 4.0.0-rc2 ready for testing!
We are proud to announce that the second release candidate for the upcoming Suricata 4.0.0 is ready for your testing.
We’re aiming for a final 4.0.0 release about 2 weeks from now. Please help us test!
Changes
- Feature #744: Teredo configuration
- Feature #1748: lua: expose tx in alert lua scripts
- Bug #1855: alert number output
- Bug #1888: noalert in a pass rule disables the rule
- Bug #1957: PCRE lowercase enforcement in http_host buffer does not allow for upper case in hex-encoding
- Bug #1958: Possible confusion or bypass within the stream engine with retransmits.
- Bug #2110: isdataat: keyword memleak
- Bug #2162: rust/nfs: reachable asserting rust panic
- Bug #2175: rust/nfs: panic – 4.0.0-dev (rev 7c25a2d)
- Bug #2176: gcc 7.1.1 ‘format truncation’ compiler warnings
- Bug #2177: asn1/der: stack overflow
Download
https://www.openinfosecfoundation.org/download/suricata-4.0.0-rc2.tar.gz
Special thanks
AFL project, Abdullah Ada
Trainings
- Developer Training in Cork, Ireland. September 11 to 15: https://www.eventbrite.com/e/5-day-suricata-developer-training-ireland-tickets-33676049972 Hosted by FireEye.
- User Training at SuriCon 2017, in Prague: https://www.eventbrite.com/e/2-day-suricata-training-suricon-2017-tickets-32303327121
SuriCon 2017
Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be in November in Prague: https://suricon.net
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 3.1RC1 is out!
We’re happy to announce Suricata 3.1RC1. The plan is to release the stable within a few weeks, so please help us test this release!
Lots of improvements on the performance side:
- Hyperscan integration for MPM and SPM. If installed, Hyperscan is now the default. See this guide.
- Rewrite of the detection engine, simplifying rule grouping. This reduces memory usage and startup time in many scenarios.
Packet capture got a lot of love:
- AF_PACKET support for tpacketv3
- NETMAP usability improvements, especially on FreeBSD
A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.
This release also bundles libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.
Other than that, lots of cleanups and optimizations:
- locking has been much simplified
- TCP and IPv6 decoder optimizations
- unittest cleanups
- AFL fuzzing options were added
Have a look at the full changelog: https://github.com/inliniac/suricata/blob/master/ChangeLog
Get the release here:
http://www.openinfosecfoundation.org/download/suricata-3.1RC1.tar.gz
Special thanks
Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan
Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich
Known issues & missing features
In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on. See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.
SuriCon 2.0
Join us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/
Training & Support
Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/
For support options also see https://suricata-ids.org/support/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Please help us test Suricata 3.0.1RC1
We’re hoping for your feedback on a new release: Suricata 3.0.1RC1. We’ve fixed many issues in 3.0, including important stability issues and memory leaks. A final is expected within a week or so.
Get the new release here: http://www.openinfosecfoundation.org/download/suricata-3.0.1RC1.tar.gz
New Features
– Feature #1535: Expose the certificate itself in TLS-lua
– Feature #1696: improve logged flow_id
– Feature #1700: enable “relro” and “now” in compile options for 3.0
– Feature #1734: gre: support transparent ethernet bridge decoding
– Feature #1740: Create counters for decode-events errors
– updated bundled libhtp to 0.5.19
Fixes
Many issues were fixed, including stability issues and many (potential) memory leaks.
Full list: https://redmine.openinfosecfoundation.org/versions/81
Special thanks
We’d like to thank the following people and corporations for their contributions and feedback:
FireEye, ANSSI, Emerging Threats / Proofpoint, Stamus Networks,
NorCert, Ntop, Lastline, AFL project, CoverityScan
Tom Decanio, Mats Klepsland, Alexander Gozman, Aleksey Katargin
Maurizio Abba, Alessandro Guido, David Diallo, Giuseppe Longo
Jon Zeolla, Andreas Moe, Nicolas Thill, Travis Green, bladeswords
Alfredo Cardigliano, Rob Mosher, Andre ten Bohmer
About Suricata
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://suricon.net
If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/
For support options also see https://suricata-ids.org/support/
Suricata 3.0RC3 Available!
We’re happy to announce Suricata 3.0RC3. RC3 fixes a few issues in RC2 that require some more testing. The plan is to release the stable quickly after the holidays, so please help us test this release!
Fixes:
- Bug #1632: Fail to download large file with browser
- Bug #1634: Fix non thread safeness of Prelude analyzer
- Bug #1640: drop log crashes
- Bug #1645: Race condition in unix manager
- Bug #1647: FlowGetKey flow-hash.c:240 segmentation fault (master)
- Bug #1650: DER parsing issue (master)
Get the release here:
http://www.openinfosecfoundation.org/download/suricata-3.0RC3.tar.gz
Known issues & missing features
In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on. See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.
About Suricata
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 3.0RC2 Available!
We’re happy to announce Suricata 3.0RC2. RC2 fixes a few issues in RC1 that require some more testing. The plan still is to release the stable within a few weeks, so please help us test this release!
Fixes:
- Bug #1551: –enable-profiling-locks broken
- Bug #1602: eve-log prefix field feature broken
- Bug #1614: app_proto key missing from EVE file events
- Bug #1615: disable modbus by default
- Bug #1616: TCP reassembly bug
- Bug #1617: DNS over TCP parsing issue
- Bug #1618: SMTP parsing issue
- Feature #1635: unified2 output: disable by default
Get the release here:
http://www.openinfosecfoundation.org/download/suricata-3.0RC2.tar.gz
Known issues & missing features
In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on. See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.
About Suricata
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 3.0RC1 Available!
We’re happy to announce Suricata 3.0RC1. This release replaces 2.1beta4 as the new development release. The plan is to release the stable within a few weeks, so please help us test this release!
Lots of improvements:
- Multi-tenancy for detection
- Big email logging update by Eric Leblond
- Work on Lua and JSON output for various protocols by Mats Klepsland
- Redis output support by Eric Leblond
- JSON output for stats, rules profiling
- Colorized output on the commandline
- Support for the base64_decode and base64_data keywords by Jason Ish
- TLS and DNS lua support
- file_data support for SMTP by Giuseppe Longo
- Support wild cards in rule loading by Alexander Gozman
Packet capture got a lot of love:
- PF_RING optimizations by Alfredo Cardigliano
- Netmap updates by Aleksey Katargin
- AF_PACKET updated by Eric Leblond
- DAG fixes by Stephen Donnelly
Other than that, lots of cleanups and optimizations:
- stateful detection overhaul
- stream engine updates
Get the release here:
http://www.openinfosecfoundation.org/download/suricata-3.0RC1.tar.gz
Special thanks
We’d like to thank the following people and corporations for their contributions and feedback:
- Alexander Gozman
- Mats Klepsland
- Giuseppe Longo
- Alfredo Cardigliano
- Aleksey Katargin
- Alessandro Guido
- Antti Tönkyrä
- Tom DeCanio
- Aaron Campbell
- DIALLO David
- David Cannings
- Helmut Schaa
- Jeff Barber
- Schnaffon
- Torgeir Natvig
- Zachary Rasmor
- Alexandre Macabies
- Stephen Donnelly
Known issues & missing features
In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on. See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.
About Suricata
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 2.0.1rc1 Available!
The OISF development team is proud to announce Suricata 2.0.1rc1, the first (and hopefully only) release candidate for Suricata 2.0.1. This brings TLS Heartbleed detection and fixes a number of issues in the 2.0 release.
Download
Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.1rc1.tar.gz
Notable changes
- OpenSSL Heartbleed detection. Thanks to Pierre Chifflier and Will Metcalf
- Fixed Unix Socket runmode
- Fixed AF_PACKET IPS support
All closed tickets
- Feature #1157: Always create pid file if –pidfile command line option is provided
- Feature #1173: tls: OpenSSL heartbleed detection
- Bug #978: clean up app layer parser thread local storage
- Bug #1064: Lack of Thread Deinitialization For Decoder Modules
- Bug #1101: Segmentation in AppLayerParserGetTxCnt
- Bug #1136: negated app-layer-protocol FP on multi-TX flows
- Bug #1141: dns response parsing issue
- Bug #1142: dns tcp toclient protocol detection
- Bug #1143: tls protocol detection in case of tls-alert
- Bug #1144: icmpv6: unknown type events for MLD_* types
- Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
- Bug #1146: tls: event on ‘new session ticket’ in handshake
- Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
- Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
- Bug #1161: eve: src and dst mixed up in some cases
- Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
- Bug #1163: HTP Segfault
- Bug #1165: af_packet – one thread consistently not working
- Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
- Bug #1176: AF_PACKET IPS mode is broken in 2.0
- Bug #1177: eve log do not show action ‘dropped’ just ‘allowed’
- Bug #1180: Possible problem in stream tracking
Special thanks
We’d like to thank the following people and corporations for their contributions and feedback:
- Ken Steele — Tilera
- Jason Ish — Endace/Emulex
- Tom Decanio — nPulse
- Pierre Chifflier
- Will Metcalf
- Duarte Silva
- Brad Roether
- Christophe Vandeplas
- Jason Jones
- Jorgen Bohnsdalen
- Fábio Depin
- Gines Lopez
- Ivan Ristic
- Coverity
Known issues & missing features
This is a “release candidate”-quality release so the stability should be good although unexpected corner cases might happen. If you encounter one, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.
See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.
About Suricata
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 2.0rc3 Windows Installer Available
The Windows MSI installer of the Suricata 2.0rc3 release is now available.
Download it here: Suricata-2.0rc3-1-32bit.msi
After downloading, double click the file to launch the installer. The installer is now signed.
If you have a previous version installed, please remove that first.
EVENTS
- Suricata Advanced Deployment and Architecture Training - Paris, France
- Practical Signature Development for Suricata - Washington, DC
- Threat Hunting with Suricata (Network Security Monitoring) - Gothenborg, Sweden
- Hunting with Suricata (Network Security Monitoring) - Toronto, Canada
- Practical Signature Development for Suricata - Denver, CO
