Tag Archive | stable release

Suricata 5.0.2 released

We’re pleased to announce Suricata 5.0.2. This release fixes a number of issues found in the 5.0 branch.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-5.0.2.tar.gz

Changes

  • Bug #2993: Suricata 5.0.0beta1 memory allocation of 4294966034 bytes failed
  • Bug #3380: Segfault when using multi-detect
  • Bug #3400: smb: post-GAP file tx handling
  • Bug #3424: nfs: post-GAP some transactions never close
  • Bug #3425: nfs: post-GAP file tx handling
  • Bug #3433: coverity: CID 1456679: Memory – corruptions (NEGATIVE_RETURNS)
  • Bug #3434: coverity: CID 1456680: Incorrect expression (IDENTICAL_BRANCHES)
  • Bug #3469: gcc10: compilation failure unless -fcommon is supplied (5.0.x)
  • Bug #3473: Dropping privileges does not work with NFLOG (5.0.x)
  • Documentation #3423: readthedocs shows title of documentation as “Suricata unknown documentation”

Special thanks

Jason Taylor, Timo Sigurdsson, vanlink

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.7 released

We’re pleased to announce Suricata 4.1.7. This release fixes a number of issues found in the 4.1 branch.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.7.tar.gz

Changes

  • Bug #3417: –disable-geoip does not work (4.1.x)
  • Bug #3448: Suricata 4.1 Seg Fault: Socket Control pcap-file and corrupt pcap
  • Bug #3452: smb: post-GAP file tx handling (4.1.x)
  • Bug #3453: coverity: CID 1456680: Incorrect expression (IDENTICAL_BRANCHES) (4.1.x)
  • Bug #3470: gcc10: compilation failure unless -fcommon is supplied (4.1.x)
  • Bug #3471: nfs: post-GAP some transactions never close (4.1.x)
  • Bug #3472: nfs: post-GAP file tx handling (4.1.x)
  • Bug #3474: Dropping privileges does not work with NFLOG (4.1.x)

Special thanks

Danny Browning, Fabrice Fontaine, Timo Sigurdsson, vanlink

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 5.0.1 released

We’re pleased to announce Suricata 5.0.1. This release fixes a number of issues found in the 5.0 branch. There are still a number of open issues that we are working on. See our 5.0.2 target here: https://redmine.openinfosecfoundation.org/versions/142

This release fixes a number of IPv4 and TCP evasion issues reported by Nicolas Adba.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-5.0.1.tar.gz

Changes

  • Bug #1871: intermittent abort()s at shutdown and in unix-socket
  • Bug #2810: enabling add request/response http headers in master
  • Bug #3047: byte_extract does not work in some situations
  • Bug #3073: AC_CHECK_FILE on cross compile
  • Bug #3103: –engine-analysis warning for flow on an icmp request rule
  • Bug #3120: nfq_handle_packet error -1 Resource temporarily unavailable warnings
  • Bug #3237: http_accept not treated as sticky buffer by –engine-analysis
  • Bug #3254: tcp: empty SACK option leads to decoder event
  • Bug #3263: nfq: invalid number of bytes reported
  • Bug #3264: EVE DNS Warning about defaulting to v2 as version is not set.
  • Bug #3266: fast-log: icmp type prints wrong value
  • Bug #3267: Support for tcp.hdr Behavior
  • Bug #3275: address parsing: memory leak in error path
  • Bug #3277: segfault when test a nfs pcap file
  • Bug #3281: Impossible to cross-compile due to AC_CHECK_FILE
  • Bug #3284: hash function for string in dataset is not correct
  • Bug #3286: TCP evasion technique by faking a closed TCP session
  • Bug #3324: TCP evasion technique by overlapping a TCP segment with a fake packet
  • Bug #3328: bad ip option evasion
  • Bug #3340: DNS: DNS over TCP transactions logged with wrong direction.
  • Bug #3341: tcp.hdr content matches don’t work as expected
  • Bug #3345: App-Layer: Not all parsers register TX detect flags that should
  • Bug #3346: BPF filter on command line not honored for pcap file
  • Bug #3362: cross compiling not affecting rust component of surrcata
  • Bug #3376: http: pipelining tx id handling broken
  • Bug #3386: Suricata is unable to get MTU from NIC after 4.1.0
  • Bug #3389: EXTERNAL_NET no longer working in 5.0 as expected
  • Bug #3390: Eve log does not generate pcap_filename when Interacting via unix socket in pcap processing mode
  • Bug #3397: smtp: file tracking issues when more than one attachment in a tx
  • Bug #3398: smtp: ‘raw-message’ option file tracking issues with multi-tx
  • Bug #3399: smb: post-GAP some transactions never close
  • Bug #3401: smb1: ‘event only’ transactions for bad requests never close
  • Bug #3411: detect/asn1: crashes on packets smaller than offset setting
  • Task #3364: configure: Rust 1.37+ has cargo-vendor support bundled into cargo.
  • Documentation #2885: update documentation to indicate -i can be used multiple times
  • Bundle Suricata-Update 1.1.1
  • Bundle Libhtp 0.5.32

Special thanks

Nicolas Adba, Alexander Gozman, Ciprian, Daisu, EmilienCourt, Fabrice Fontaine, Pascal Delalande, Steven Hostetler, Wesley van der Ree, Jason Taylor

Trainings

See https://suricata_events.eventbrite.com/ for the current list of planned training sessions.

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.6 released

We’re pleased to announce Suricata 4.1.6. This release fixes a number of issues found in the 4.1 branch.

This release fixes a number of IPv4 and TCP evasion issues reported by Nicolas Adba.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.6.tar.gz

Changes

  • Bug #3276: address parsing: memory leak in error path (4.1.x)
  • Bug #3278: segfault when test a nfs pcap file (4.1.x)
  • Bug #3279: ikev2 enabled in config even if Rust is disabled
  • Bug #3325: lua issues on arm (fedora:29) (4.1.x)
  • Bug #3326: Static build with pcap fails (4.1.x)
  • Bug #3327: tcp: empty SACK option leads to decoder event (4.1.x)
  • Bug #3347: BPF filter on command line not honored for pcap file (4.1.x)
  • Bug #3355: DNS: DNS over TCP transactions logged with wrong direction. (4.1.x)
  • Bug #3356: DHCP: Slow down over time due to lack of detect flags (4.1.x)
  • Bug #3369: byte_extract does not work in some situations (4.1.x)
  • Bug #3385: fast-log: icmp type prints wrong value (4.1.x)
  • Bug #3387: suricata is logging tls log repeatedly if custom mode is enabled (4.1.x)
  • Bug #3388: TLS Lua output does not work without TLS log (4.1.x)
  • Bug #3391: Suricata is unable to get MTU from NIC after 4.1.0 (4.1.x)
  • Bug #3393: http: pipelining tx id handling broken (4.1.x)
  • Bug #3394: TCP evasion technique by overlapping a TCP segment with a fake packet (4.1.x)
  • Bug #3395: TCP evasion technique by faking a closed TCP session (4.1.x)
  • Bug #3402: smb: post-GAP some transactions never close (4.1.x)
  • Bug #3403: smb1: ‘event only’ transactions for bad requests never close (4.1.x)
  • Bug #3404: smtp: file tracking issues when more than one attachment in a tx (4.1.x)
  • Bug #3405: Filehash rule does not fire without filestore keyword
  • Bug #3410: intermittent abort()s at shutdown and in unix-socket (4.1.x)
  • Bug #3412: detect/asn1: crashes on packets smaller than offset setting (4.1.x)
  • Task #3367: configure: Rust 1.37+ has cargo-vendor support bundled into cargo (4.1.x)
  • Bundle Suricata-Update 1.0.6
  • Bundle Libhtp 0.5.32

Special thanks

Nicolas Adba, Mats Klepsland, Fabrice Fontaine

Trainings

See https://suricata_events.eventbrite.com/ for the current list of planned training sessions.

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.5 released

We’re pleased to announce Suricata 4.1.5. This release fixes a number of issues found in the 4.1 branch. Some of the issues are security issues, so upgrading is highly recommended.

This release also adds VXLAN support, contributed by Henrik Lund Kramshoej. This was accepted into the stable branch to support Suricata deployment in AWS. Next GeoIP2 support was contributed by Bill Meeks. This was added to stable as GeoIP1 is end of life and the databases are no longer updated.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.5.tar.gz

Changes

  • Feature #3068: protocol parser: vxlan (4.1.x)
  • Bug #2841: False positive alerts firing after upgrade suricata 3.0 -> 4.1.0 (4.1.x)
  • Bug #2966: filestore (v1 and v2): dropping of “unwanted” files (4.1.x)
  • Bug #3008: rust: updated libc crate causes depration warnings (4.1.x)
  • Bug #3044: tftp: missing logs because of broken tx handling (4.1.x)
  • Bug #3067: GeoIP keyword depends on now discontinued legacy GeoIP database (4.1.x)
  • Bug #3094: Fedora rawhide af-packet compilation err (4.1.x)
  • Bug #3123: bypass keyword: Suricata 4.1.x Segmentation Faults (4.1.x)
  • Bug #3129: Fixes warning about size of integers in string formats (4.1.x)
  • Bug #3159: SC_ERR_PCAP_DISPATCH with message “error code -2” upon rule reload completion (4.1.x)
  • Bug #3164: Suricata 4.1.4: NSS Shutdown triggers crashes in test mode
  • Bug #3168: tls: out of bounds read
  • Bug #3170: defrag: out of bounds read
  • Bug #3173: ipv4: ts field decoding oob read
  • Bug #3175: File_data inspection depth while inspecting base64 decoded data (4.1.x)
  • Bug #3184: decode/der: crafted input can lead to resource starvation
  • Bug #3186: Multiple Content-Length headers causes HTP_STREAM_ERROR (4.1.x)
  • Bug #3187: GET/POST HTTP-request with no Content-Length, http_client_body miss (4.1.x)

Special thanks

Bill Meeks, Henrik Lund Kramshoej, Yujie Zhao, Alexander Bluhm

Sirko Höer — Code Intelligence GmbH, DCSO.

Trainings

See https://suricata_events.eventbrite.com/ for the current list of planned training sessions.

Suricon

Suricon 2019 will happen in Amsterdam in little over a month! For tickets, trainings and sponsorships, see: https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.4 released

We’re pleased to announce Suricata 4.1.4. This release fixes a number of issues found in the 4.1 branch.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.4.tar.gz

Changes

  • Bug #2870: pcap logging with lz4 coverity warning
  • Bug #2883: ssh: heap buffer overflow
  • Bug #2884: mpls: heapbuffer overflow in file decode-mpls.c
  • Bug #2887: decode-ethernet: heapbuffer overflow in file decode-ethernet.c
  • Bug #2888: 4.1.3 core in HCBDCreateSpace
  • Bug #2894: smb 1 create andx request does not parse the filename correctly
  • Bug #2902: rust/dhcp: panic in dhcp parser
  • Bug #2903: mpls: cast of misaligned data leads to undefined behavior
  • Bug #2904: rust/ftp: panic in ftp parser
  • Bug #2943: rust/nfs: integer underflow
  • This release includes Suricata-Update 1.0.5

Special thanks

Alexander Bluhm, Giuseppe Longo, Max Fillinger, Wesley van der Ree, Jason Taylor
Sirko Höer — Code Intelligence GmbH, DCSO.

Trainings

See https://suricata_events.eventbrite.com/ for the current list of planned training sessions.

Suricon

The CFP for Suricon 2019 is open! Submit your talk proposal at: https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.3 released

We’re pleased to announce Suricata 4.1.3. This release fixes a number of issues found in the 4.1-series.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.3.tar.gz

Changes

  • Bug #2225: when stats info dumping in redis,the decoder.ipv4.trunc_pkt can’t output.In the same time, in the stats.log this can output
  • Bug #2362: rule reload with workers mode and NFQUEUE not working stable
  • Bug #2761: Include ebpf files in distributed sources
  • Bug #2762: SSLv3 – AddressSanitizer heap-buffer-overflow
  • Bug #2770: TCP FIN/ACK, RST/ACK in HTTP – detection bypass
  • Bug #2788: afpacket doesn’t wait for all capture threads to start
  • Bug #2805: dns v1/2 with rust results in less app layer data available in the alert record (for dns related alerts/rules) (4.1.x)
  • Bug #2811: netmap/afpacket IPS: stream.inline: auto broken
  • Bug #2823: configure.ac: broken –{enable,disable}-xxx options (4.1.x)
  • Bug #2842: IPS mode crash under load
  • Bug #2855: Suricata does not bridge host <-> hw rings (Affects FreeBSD 11-STABLE, FreeBSD 12 and FreeBSD 13-CURRENT)
  • Bug #2862: pcre related FP in HTTP inspection (4.1.x)
  • Bug #2865: Suricata rule sid:2224005 SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) not works (4.1.x)
  • Feature #2774: pcap multi dev support for Windows

Special thanks

Edwin van Vliet, Mats Klepsland, Pierre Chifflier, Alexander Gozman, Fabrice Fontaine, Jingyu Yang, Murat Balaban, Pascal Delalande

Trainings

2019 Training Calendar has been posted. There are still seats available for next weeks Advanced Deployment and Threat Hunting training in Washington, D.C. See https://suricata-ids.org/training/

Suricon

Suricon 2018 was a great success and the 2019 location has been announced: Amsterdam. Please consider becoming a sponsor! https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.2 released

Much sooner than planned we are releasing 4.1.2. The 4.1.1 process didn’t go as planned. First the tarball was missing the vendored Rust crates. Then we found that Suricata-Update didn’t properly function on CentOS 7, Ubunut 14.04 and other slightly older distros. Then last minute we found yet another Suricata-Update bug.

So despite it being so close to the holidays for many, we decided to push 4.1.2 out already. Apologies for the inconvenience this may cause.

Other than the issues mention above, we did also fix some additional issues. SMB logging accuracy was improved, DNS detection and logging accuracy was improved and some documentation updates are included as well.

After the holidays are over we’re going to review our QA for both Suricata and Suricata-Update, so we can avoid issue like this in the future.

Changes

  • Feature #1863: smtp: improve pipelining support
  • Feature #2748: bundle libhtp 0.5.29
  • Feature #2749: bundle suricata-update 1.0.3
  • Bug #2682: python-yaml Not Listed As Ubuntu Prerequisite
  • Bug #2736: DNS Golden Transaction ID – detection bypass
  • Bug #2745: Invalid detect-engine config could lead to segfault
  • Bug #2752: smb: logs for IOCTL and DCERPC have tree_id value of 0

Special thanks

Philippe Antoine, Alexey Vishnyakov

Download

https://www.openinfosecfoundation.org/downloads/suricata-4.1.2.tar.gz

Suricata 4.1.1 available!

suri-400x400

We are pleased to announce Suricata 4.1.1. This release fixes a number of issues found 4.1. It also adds EVE DNSv1 support for Rust builds.

Changes

  • Feature #2637: af-packet: improve error output for BPF loading failure
  • Feature #2671: Add Log level to suricata.log when using JSON type
  • Bug #2502: suricata.c ConfigGetCaptureValue – PCAP/AFP fallthrough to strip_trailing_plus
  • Bug #2528: krb parser not always parsing tgs responses
  • Bug #2633: Improve errors handling in AF_PACKET
  • Bug #2653: llc detection failure in configure.ac
  • Bug #2677: coverity: ja3 potential memory leak
  • Bug #2679: build with profiling enabled on generates compile warnings
  • Bug #2704: DNSv1 for Rust enabled builds.
  • Bug #2705: configure: Test for PyYAML and disable suricata-update if not installed.
  • Bug #2716: Stats interval are 1 second too early each tick
  • Bug #2717: nfs related panic in 4.1
  • Bug #2719: Failed Assertion, Suricata Abort – util-mpm-hs.c line 163 (4.1.x)
  • Bug #2723: dns v2 json output should always set top-level rrtype in responses
  • Bug #2730: rust/dns/lua – The Lua calls for DNS values when using Rust don’t behave the same as the C implementation.
  • Bug #2731: multiple instances of transaction loggers are broken
  • Bug #2734: unix runmode deadlock when using too many threads
  • Bundled Suricata-Update was updated to 1.0.1

Download

https://www.openinfosecfoundation.org/download/suricata-4.1.1.tar.gz

Special thanks

Jason Taylor, Eric Urban, Mats Klepsland, Pierre Chifflier

Trainings

The 2019 calendar of trainings will be out soon – check back here or follow us on Twitter (@OISFoundation) for all training announcements

Suricon

Suricon 2018 was a great success and the 2019 location has been announced: Amsterdam. Please consider becoming a sponsor! https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.0.3 available!

suri-400x400

We are pleased to announce Suricata 4.0.3.  This is regular bug fix release fixing various issues.

Note: this release was first released as 4.0.2, but due to a packaging mistake it contained the wrong branch.

Changes

  • Feature #2245: decoder for ieee802.1AH traffic
  • Bug #798: stats.log in yaml config – append option – missing
  • Bug #891: detect-engine.profile does not err out in incorrect values – suricata.yaml
  • Bug #961: max pending packets variable parsing
  • Bug #1185: napatech: cppcheck warning
  • Bug #2215: Lost events writing to unix socket
  • Bug #2230: valgrind memcheck – 4.0.0-dev (rev 1180687)
  • Bug #2250: detect: mixing byte_extract and isdataat leads to FP & FN
  • Bug #2263: content matches disregarded when using dns_query on udp traffic
  • Bug #2274: ParseSizeString in util-misc.c: Null-pointer dereference
  • Bug #2275: ConfGetInt in conf.c: NULL-pointer dereference
  • Bug #2276: conf: NULL-pointer dereference in CoredumpLoadConfig
  • Bug #2293: rules: depth < content rules not rejected
  • Bug #2324: segfault in http_start (4.0.x)
  • Bug #2325: Suricata segfaults on ICMP and flowint check (4.0.x)

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.3.tar.gz

Special thanks

Danny Browning, Harley H, Travis Green, Wolfgang Hotwagner, Edward Fjellskål

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.