Tag Archive | release candidate

Please help us test Suricata 5.0.0-rc1

We are looking for testers for a new development release in the Suricata 5 series: Suricata 5.0.0-rc1. Please help us test so we can release the final on October 15th.

Curious about whats new? Here are the highlights:

RDP, SNMP, FTP and SIP

Three new protocol parsers and loggers, both community contributions. Zach Kelley created a Rust RDP parser, while Giuseppe Longo created SIP support. Rust master Pierre Chifflier contributed SNMP support. Since RDP and SIP were merged late in our development cycle they are disabled by default in the configuration. For FTP we have added a EVE logging facility.

JA3S

After contributing JA3 support in Suricata 4.1, Mats Klepsland has been working on JA3S support. JA3S is now available to the rule language and in the TLS logging output.

eBPF/XDP

Eric Leblond has been working hard to getting hardware offload support working for eBPF. On Netronome cards the eBPF based flow bypass can now be offloaded to the NIC.

Datasets

Still experimental at this time, the initial work to support datasets is part of this release. It allows matching on large amounts of data. It is controlled from the rule language and will work with any ‘sticky buffer’. https://suricata.readthedocs.io/en/suricata-5.0.0-rc1/rules/datasets.html

HTTP evader

We’ve been working hard to cover the final set of HTTP evader cases. This work has mostly gone into the bundled libhtp 0.5.31.

More 5.0 changes

Please see the beta1 announcement for many more changes in the upcoming 5.0 release: https://suricata-ids.org/2019/04/30/call-for-testing-announcing-suricata-5-0-0-beta1/

For a complete list of closed tickets in 5.0.0-rc1, please see https://redmine.openinfosecfoundation.org/versions/128

Release schedule

This release has been delayed quite a bit. We had originally hoped to have it ready for you in July. This means that to get the final out before Suricon next month we have quite an aggressive schedule. We want to release the final no later than October 15th. We can use all the help we can get with testing and polishing to meet that goal. Thanks in advance!

Download from:

https://www.openinfosecfoundation.org/downloads/suricata-5.0.0-rc1.tar.gz

Call for testing: Suricata 4.1rc2 released

Suricata 4.1rc2 is ready for testing. We’re hoping that this will be the final release candidate so that 4.1 can be released just before Suricon next month.

Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos,FTP, DHCP, IKEv2, as well as improvements on Linux capture side via AF_PACKET XDP support and on Windows IPS side via WinDivert. The growth of Rust usage inside Suricata continues as most of the new protocols have been implemented in Rust.

Most important change for going from RC1 to RC2 is that we have enabled Rust support by default. If Rust is installed, it will be used.

Protocol updates

  • SMBv1/2/3 parsing, logging, file extraction
  • TLS 1.3 parsing and logging (Mats Klepsland)
  • JA3 TLS client fingerprinting (Mats Klepsland)
  • TFTP: basic logging (Pascal Delalande and Clément Galland)
  • FTP: file extraction
  • Kerberos parser and logger (Pierre Chifflier)
  • IKEv2 parser and logger (Pierre Chifflier)
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • HTTP: handle sessions that only have a response, or start with a response
  • HTTP Flash file decompression support (Giuseppe Longo)

Output and logging

  • File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
  • Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
  • Eve: new more compact DNS record format (Giuseppe Longo)
  • Pcap directory mode: process all pcaps in a directory (Danny Browning)
  • Compressed PCAP logging (Max Fillinger)
  • Expanded XFF support (Maurizio Abba)
  • Community Flow Id support (common ID between Suricata and Bro/Zeek)

Packet Capture

  • AF_PACKET XDP and eBPF support for high speed packet capture
  • Windows IPS: WinDivert support (Jacob Masen-Smith)

Misc

  • Windows: MinGW is now supported
  • Detect: transformation keyword support
  • Bundled Suricata-Update
  • Per device multi-tenancy

Major changes since 4.1rc1

  • Rust support is enabled by default
  • Community Flow Id support (common ID between Suricata and Bro/Zeek)
  • Updates and fixes for dealing with SegmentSmack/FragmentSmack
  • Update Suricata-Update to 1.0.0rc2

Get paid to work on Suricata!

Enjoying the testing? Or want to help out with other parts of the project?
We are looking for people, so reach out to us if you’re interested.

Special thanks

Mats Klepsland, Jason Taylor, Maurizio Abba, Konstantin Klinger, Giuseppe Longo, Danny Browning, Hilko Bengen, Jacob Masen-Smith, Pascal Delalande, Travis Green, Christian Kreibich

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

SuriCon

SuriCon 2018 Vancouver next month, you can still join! https://suricon.net/agenda-vancouver/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Call for testing: Suricata 4.1rc1 released

It’s summer, so an excellent time for some testing! Suricata 4.1 release candidate 1 is here to be tried out. The release brings a lot of new features.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.0-rc1.tar.gz

Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2, as well as improvements on Linux capture side via AF_PACKET XDP support and on Windows IPS side via WinDivert. The progress in Rust usage inside Suricata continues as most of the new protocols have been implemented in Rust.

We invite everyone to test this release and report your experiences to us.

Protocol updates

  • SMBv1/2/3 parsing, logging, file extraction
  • JA3 TLS client fingerprinting (Mats Klepsland)
  • TFTP: basic logging (Pascal Delalande and Clément Galland)
  • FTP: file extraction
  • Kerberos parser and logger (Pierre Chifflier)
  • IKEv2 parser and logger (Pierre Chifflier)
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • HTTP: handle sessions that only have a response, or start with a response
  • HTTP Flash file decompression support (Giuseppe Longo)

Output and logging

  • File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
  • Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
  • Eve: new more compact DNS record format (Giuseppe Longo)
  • Pcap directory mode: process all pcaps in a directory (Danny Browning)
  • Compressed PCAP logging (Max Fillinger)
  • Expanded XFF support (Maurizio Abba)

Packet Capture

  • AF_PACKET XDP and eBPF support for high speed packet capture
  • Windows IPS: WinDivert support (Jacob Masen-Smith)

Misc

  • Windows: MinGW is now supported
  • Detect: transformation keyword support
  • Bundled Suricata-Update

Major changes since 4.1beta1

  • WinDivert support
  • Kerberos parser and logger
  • IKEv2 parser and logger
  • DHCP parser and logger
  • Flow tracking for ICMPv4
  • Initial NFS4 support
  • Compressed PCAP logging
  • Expanded XFF support
  • Decode GRE over IP (Paulo Pacheco)
  • Multi-tenancy fixes
  • SMB improvements for midstream pickup
  • Update Suricata-Update to 1.0.0rc1

Security

CVE-2018-10242, CVE-2018-10244 (suricata)
CVE-2018-10243 (libhtp)

Get paid to work on Suricata!

Enjoying the testing? Or want to help out with other parts of the project?
We are looking for people, so reach out to us if you’re interested.

Special thanks

Henning Perl, Kirill Shipulin, Pierre Chifflier, Mats Klepsland, Max Fillinger, Alexander Gozman, Danny Browning, Giuseppe Longo, Maurizio Abba, Pascal Delalande, Chris Speidel, Elazar Broad, Jacob Masen-Smith, Renato Botelho, Paulo Pacheco, Jason Taylor

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

SuriCon

SuriCon 2018 Vancouver agenda is up! https://suricon.net/agenda-vancouver/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 4.0.0-rc2 ready for testing!

suri-400x400

We are proud to announce that the second release candidate for the upcoming Suricata 4.0.0 is ready for your testing.

We’re aiming for a final 4.0.0 release about 2 weeks from now. Please help us test!

Changes

  • Feature #744: Teredo configuration
  • Feature #1748: lua: expose tx in alert lua scripts
  • Bug #1855: alert number output
  • Bug #1888: noalert in a pass rule disables the rule
  • Bug #1957: PCRE lowercase enforcement in http_host buffer does not allow for upper case in hex-encoding
  • Bug #1958: Possible confusion or bypass within the stream engine with retransmits.
  • Bug #2110: isdataat: keyword memleak
  • Bug #2162: rust/nfs: reachable asserting rust panic
  • Bug #2175: rust/nfs: panic – 4.0.0-dev (rev 7c25a2d)
  • Bug #2176: gcc 7.1.1 ‘format truncation’ compiler warnings
  • Bug #2177: asn1/der: stack overflow

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.0-rc2.tar.gz

Special thanks

AFL project, Abdullah Ada

Trainings

SuriCon 2017

Come meet the Suricata community and development team to discuss all things Suricata at the third edition of the annual Suricata Conference. SuriCon 2017 will be in November in Prague: https://suricon.net

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1RC1 is out!

Photo by Eric Leblond

We’re happy to announce Suricata 3.1RC1. The plan is to release the stable within a few weeks, so please help us test this release!

Lots of improvements on the performance side:

  • Hyperscan integration for MPM and SPM. If installed, Hyperscan is now the default. See this guide.
  • Rewrite of the detection engine, simplifying rule grouping. This reduces memory usage and startup time in many scenarios.

Packet capture got a lot of love:

  • AF_PACKET support for tpacketv3
  • NETMAP usability improvements, especially on FreeBSD

A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.

This release also bundles libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.

Other than that, lots of cleanups and optimizations:

  • locking has been much simplified
  • TCP and IPv6 decoder optimizations
  • unittest cleanups
  • AFL fuzzing options were added

Have a look at the full changelog: https://github.com/inliniac/suricata/blob/master/ChangeLog

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1RC1.tar.gz

Special thanks

Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan

Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

Join us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Please help us test Suricata 3.0.1RC1

suri-400x400

We’re hoping for your feedback on a new release: Suricata 3.0.1RC1. We’ve fixed many issues in 3.0, including important stability issues and memory leaks. A final is expected within a week or so.

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-3.0.1RC1.tar.gz

New Features

– Feature #1535: Expose the certificate itself in TLS-lua
– Feature #1696: improve logged flow_id
– Feature #1700: enable “relro” and “now” in compile options for 3.0
– Feature #1734: gre: support transparent ethernet bridge decoding
– Feature #1740: Create counters for decode-events errors
– updated bundled libhtp to 0.5.19

Fixes

Many issues were fixed, including stability issues and many (potential) memory leaks.
Full list: https://redmine.openinfosecfoundation.org/versions/81

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:
FireEye, ANSSI, Emerging Threats / Proofpoint, Stamus Networks,
NorCert, Ntop, Lastline, AFL project, CoverityScan

Tom Decanio, Mats Klepsland, Alexander Gozman, Aleksey Katargin
Maurizio Abba, Alessandro Guido, David Diallo, Giuseppe Longo
Jon Zeolla, Andreas Moe, Nicolas Thill, Travis Green, bladeswords
Alfredo Cardigliano, Rob Mosher, Andre ten Bohmer

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://suricon.net

If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

Suricata 3.0RC3 Available!

Photo by Eric Leblond

We’re happy to announce Suricata 3.0RC3. RC3 fixes a few issues in RC2 that require some more testing. The plan is to release the stable quickly after the holidays, so please help us test this release!

Fixes:

  • Bug #1632: Fail to download large file with browser
  • Bug #1634: Fix non thread safeness of Prelude analyzer
  • Bug #1640: drop log crashes
  • Bug #1645: Race condition in unix manager
  • Bug #1647: FlowGetKey flow-hash.c:240 segmentation fault (master)
  • Bug #1650: DER parsing issue (master)

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.0RC3.tar.gz

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.0RC2 Available!

Photo by Eric Leblond

We’re happy to announce Suricata 3.0RC2. RC2 fixes a few issues in RC1 that require some more testing. The plan still is to release the stable within a few weeks, so please help us test this release!

Fixes:

  • Bug #1551: –enable-profiling-locks broken
  • Bug #1602: eve-log prefix field feature broken
  • Bug #1614: app_proto key missing from EVE file events
  • Bug #1615: disable modbus by default
  • Bug #1616: TCP reassembly bug
  • Bug #1617: DNS over TCP parsing issue
  • Bug #1618: SMTP parsing issue
  • Feature #1635: unified2 output: disable by default

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.0RC2.tar.gz

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.0RC1 Available!

Photo by Eric Leblond

We’re happy to announce Suricata 3.0RC1. This release replaces 2.1beta4 as the new development release. The plan is to release the stable within a few weeks, so please help us test this release!

Lots of improvements:

  • Multi-tenancy for detection
  • Big email logging update by Eric Leblond
  • Work on Lua and JSON output for various protocols by Mats Klepsland
  • Redis output support by Eric Leblond
  • JSON output for stats, rules profiling
  • Colorized output on the commandline
  • Support for the base64_decode and base64_data keywords by Jason Ish
  • TLS and DNS lua support
  • file_data support for SMTP by Giuseppe Longo
  • Support wild cards in rule loading by Alexander Gozman

Packet capture got a lot of love:

  • PF_RING optimizations by Alfredo Cardigliano
  • Netmap updates by Aleksey Katargin
  • AF_PACKET updated by Eric Leblond
  • DAG fixes by Stephen Donnelly

Other than that, lots of cleanups and optimizations:

  • stateful detection overhaul
  • stream engine updates

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.0RC1.tar.gz

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Alexander Gozman
  • Mats Klepsland
  • Giuseppe Longo
  • Alfredo Cardigliano
  • Aleksey Katargin
  • Alessandro Guido
  • Antti Tönkyrä
  • Tom DeCanio
  • Aaron Campbell
  • DIALLO David
  • David Cannings
  • Helmut Schaa
  • Jeff Barber
  • Schnaffon
  • Torgeir Natvig
  • Zachary Rasmor
  • Alexandre Macabies
  • Stephen Donnelly

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.1rc1 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0.1rc1, the first (and hopefully only) release candidate for Suricata 2.0.1. This brings TLS Heartbleed detection and fixes a number of issues in the 2.0 release.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.1rc1.tar.gz

Notable changes

  • OpenSSL Heartbleed detection. Thanks to Pierre Chifflier and Will Metcalf
  • Fixed Unix Socket runmode
  • Fixed AF_PACKET IPS support

All closed tickets

  • Feature #1157: Always create pid file if –pidfile command line option is provided
  • Feature #1173: tls: OpenSSL heartbleed detection
  • Bug #978: clean up app layer parser thread local storage
  • Bug #1064: Lack of Thread Deinitialization For Decoder Modules
  • Bug #1101: Segmentation in AppLayerParserGetTxCnt
  • Bug #1136: negated app-layer-protocol FP on multi-TX flows
  • Bug #1141: dns response parsing issue
  • Bug #1142: dns tcp toclient protocol detection
  • Bug #1143: tls protocol detection in case of tls-alert
  • Bug #1144: icmpv6: unknown type events for MLD_* types
  • Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
  • Bug #1146: tls: event on ‘new session ticket’ in handshake
  • Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
  • Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
  • Bug #1161: eve: src and dst mixed up in some cases
  • Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
  • Bug #1163: HTP Segfault
  • Bug #1165: af_packet – one thread consistently not working
  • Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
  • Bug #1176: AF_PACKET IPS mode is broken in 2.0
  • Bug #1177: eve log do not show action ‘dropped’ just ‘allowed’
  • Bug #1180: Possible problem in stream tracking

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Jason Ish — Endace/Emulex
  • Tom Decanio — nPulse
  • Pierre Chifflier
  • Will Metcalf
  • Duarte Silva
  • Brad Roether
  • Christophe Vandeplas
  • Jason Jones
  • Jorgen Bohnsdalen
  • Fábio Depin
  • Gines Lopez
  • Ivan Ristic
  • Coverity

Known issues & missing features

This is a “release candidate”-quality release so the stability should be good although unexpected corner cases might happen. If you encounter one, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.