Tag Archive | ssh

Suricata 6.0.0 beta 1 released

We’re happy to announce Suricata 6.0.0 beta 1. This is a test version for a new major feature release of Suricata.

Originally planned to be released as a release candidate we wanted to get a few more interesting things in that are still a bit rough around the edges. So the plan is now to release 6.0RC1 early September and then the final late September.

We are hoping for some of you to take this beta and test it in your environment and report any issues to us.

Get the release here:
https://www.openinfosecfoundation.org/downloads/suricata-6.0.0-beta1.tar.gz

Major changes

– initial HTTP/2 support
– DCERPC logging
– much improved EVE logging performance
– RFB and MQTT protocol support, including detection and logging
– HASSH support
– conditional logging

Power of the community

Several features and improvements have been made by community members:

– MQTT (Sascha Steinbiss)
– RFB (Frank Honza)
– HASSH (Vadym Malakhatko)
– ASN.1 Rust (Pierre Chifflier and Emmanuel Thompson)
– cbindgen (Danny Browning)
– nom 5 conversion (Pierre Chifflier)
– Napatech bypass support (Phil Young)
– MAC address logging in EVE (Sascha Steinbiss)

List of git committers:

Pierre Chifflier, Sascha Steinbiss, Emmanuel Thompson, Todd Mortimer,
Phil Young, Vadym Malakhatko, Jason Taylor, James Dutrisac, Zach Kelly,
Joshua Lumb, Angelo Mirabella, Antti Tönkyrä, Danny Browning,
Frank Honza, Giuseppe Longo, Roland Fischer, Stephen Donnelly,
Timo Sigurdsson, Tristan Fletcher, William Stearns, Xiaofan Wang,
Zackeus Bengtsson

Notable Optimizations

– faster EVE log generation using our own Rust language JSON string builder
– much better EVE log scaling by allowing a log file per thread
– flow engine improvments – esp when under resource constraints

Removals

– unified2 has been removed
– filestore v1 has support has been removed
– drop log

Securing Suricata

– ASN1 handling is now entirely done in Rust code
– DCERPC, SSH have been reimplemented in Rust
– new protocols have been implemented in Rust

Rule language

– from_end support for byte_jump keyword
– bitmask support for byte_test keyword
– byte_math support
– flowbit OR support
– pcrexform keyword: use pcre with substring capture as a transform
– urldecode transform was added

For developers

– Use cbindgen to create Rust-C bindings (Danny Browning)
– initial plugin support
– libfuzzer (oss-fuzz) support

Forums

Join our new Forum at https://forum.suricata.io/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 2.0.4 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.4. This release fixes a number of important issues in the 2.0 series.

This update fixes a bug in the SSH parser, where a malformed banner could lead to evasion of SSH rules and missing log entries. In some cases it may also lead to a crash. Bug discovered and reported by Steffen Bauch.

Additionally, this release also addresses a new IPv6 issue that can lead to evasion. Bug discovered by Rafael Schaefer working with ERNW GmbH.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.4.tar.gz

Changes

  • Bug #1276: ipv6 defrag issue with routing headers
  • Bug #1278: ssh banner parser issue
  • Bug #1254: sig parsing crash on malformed rev keyword
  • Bug #1267: issue with ipv6 logging
  • Bug #1273: Lua – http.request_line not working
  • Bug #1284: AF_PACKET IPS mode not logging drops and stream inline issue

Security

  • CVE-2014-6603

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0rc2 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0rc2, the second release candidate for Suricata 2.0.

Notable changes

  • eve-log is now enabled by default
  • SSH parser is re-enabled
  • SSH logging was added to ‘eve-log’
  • bundled libhtp was updated to 0.5.10

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0rc2.tar.gz

All closed tickets

  • Feature #952: Add VLAN tag ID to all outputs
  • Feature #953: Add QinQ tag ID to all outputs
  • Feature #1012: Introduce SSH log
  • Feature #1118: app-layer protocols http memcap – info in verbose mode (-v)
  • Feature #1119: restore SSH protocol detection and parser
  • Bug #611: fp: rule with ports matching on portless proto
  • Bug #985: default config generates rule warnings and errors
  • Bug #1021: 1.4.6: conf_filename not checked before use
  • Bug #1089: SMTP: move depends on uninitialised value
  • Bug #1090: FTP: Memory Leak
  • Bug #1091: TLS-Handshake: Uninitialized value
  • Bug #1092: HTTP: Memory Leak
  • Bug #1108: suricata.yaml config parameter – segfault
  • Bug #1109: PF_RING vlan handling
  • Bug #1110: Can have the same Pattern ID (pid) for the same pattern but different case flags
  • Bug #1111: capture stats at exit incorrect
  • Bug #1112: tls-events.rules file missing
  • Bug #1115: nfq: exit stats not working
  • Bug #1120: segv with pfring/afpacket and eve-log enabled
  • Bug #1121: crash in eve-log
  • Bug #1124: ipfw build broken

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Jason Ish — Endace/Emulex
  • Tom Decanio — nPulse
  • Jack Flemming
  • Mark Ashley
  • Marc-Andre Heroux

Known issues & missing features

This is a “release candidate”-quality release so the stability should be good although unexpected corner cases might happen. If you encounter one, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.