Tag Archive | stable

Suricata 4.1.5 released

We’re pleased to announce Suricata 4.1.5. This release fixes a number of issues found in the 4.1 branch. Some of the issues are security issues, so upgrading is highly recommended.

This release also adds VXLAN support, contributed by Henrik Lund Kramshoej. This was accepted into the stable branch to support Suricata deployment in AWS. Next GeoIP2 support was contributed by Bill Meeks. This was added to stable as GeoIP1 is end of life and the databases are no longer updated.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.5.tar.gz

Changes

  • Feature #3068: protocol parser: vxlan (4.1.x)
  • Bug #2841: False positive alerts firing after upgrade suricata 3.0 -> 4.1.0 (4.1.x)
  • Bug #2966: filestore (v1 and v2): dropping of “unwanted” files (4.1.x)
  • Bug #3008: rust: updated libc crate causes depration warnings (4.1.x)
  • Bug #3044: tftp: missing logs because of broken tx handling (4.1.x)
  • Bug #3067: GeoIP keyword depends on now discontinued legacy GeoIP database (4.1.x)
  • Bug #3094: Fedora rawhide af-packet compilation err (4.1.x)
  • Bug #3123: bypass keyword: Suricata 4.1.x Segmentation Faults (4.1.x)
  • Bug #3129: Fixes warning about size of integers in string formats (4.1.x)
  • Bug #3159: SC_ERR_PCAP_DISPATCH with message “error code -2” upon rule reload completion (4.1.x)
  • Bug #3164: Suricata 4.1.4: NSS Shutdown triggers crashes in test mode
  • Bug #3168: tls: out of bounds read
  • Bug #3170: defrag: out of bounds read
  • Bug #3173: ipv4: ts field decoding oob read
  • Bug #3175: File_data inspection depth while inspecting base64 decoded data (4.1.x)
  • Bug #3184: decode/der: crafted input can lead to resource starvation
  • Bug #3186: Multiple Content-Length headers causes HTP_STREAM_ERROR (4.1.x)
  • Bug #3187: GET/POST HTTP-request with no Content-Length, http_client_body miss (4.1.x)

Special thanks

Bill Meeks, Henrik Lund Kramshoej, Yujie Zhao, Alexander Bluhm

Sirko Höer — Code Intelligence GmbH, DCSO.

Trainings

See https://suricata_events.eventbrite.com/ for the current list of planned training sessions.

Suricon

Suricon 2019 will happen in Amsterdam in little over a month! For tickets, trainings and sponsorships, see: https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.4 released

We’re pleased to announce Suricata 4.1.4. This release fixes a number of issues found in the 4.1 branch.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.4.tar.gz

Changes

  • Bug #2870: pcap logging with lz4 coverity warning
  • Bug #2883: ssh: heap buffer overflow
  • Bug #2884: mpls: heapbuffer overflow in file decode-mpls.c
  • Bug #2887: decode-ethernet: heapbuffer overflow in file decode-ethernet.c
  • Bug #2888: 4.1.3 core in HCBDCreateSpace
  • Bug #2894: smb 1 create andx request does not parse the filename correctly
  • Bug #2902: rust/dhcp: panic in dhcp parser
  • Bug #2903: mpls: cast of misaligned data leads to undefined behavior
  • Bug #2904: rust/ftp: panic in ftp parser
  • Bug #2943: rust/nfs: integer underflow
  • This release includes Suricata-Update 1.0.5

Special thanks

Alexander Bluhm, Giuseppe Longo, Max Fillinger, Wesley van der Ree, Jason Taylor
Sirko Höer — Code Intelligence GmbH, DCSO.

Trainings

See https://suricata_events.eventbrite.com/ for the current list of planned training sessions.

Suricon

The CFP for Suricon 2019 is open! Submit your talk proposal at: https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.3 released

We’re pleased to announce Suricata 4.1.3. This release fixes a number of issues found in the 4.1-series.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.3.tar.gz

Changes

  • Bug #2225: when stats info dumping in redis,the decoder.ipv4.trunc_pkt can’t output.In the same time, in the stats.log this can output
  • Bug #2362: rule reload with workers mode and NFQUEUE not working stable
  • Bug #2761: Include ebpf files in distributed sources
  • Bug #2762: SSLv3 – AddressSanitizer heap-buffer-overflow
  • Bug #2770: TCP FIN/ACK, RST/ACK in HTTP – detection bypass
  • Bug #2788: afpacket doesn’t wait for all capture threads to start
  • Bug #2805: dns v1/2 with rust results in less app layer data available in the alert record (for dns related alerts/rules) (4.1.x)
  • Bug #2811: netmap/afpacket IPS: stream.inline: auto broken
  • Bug #2823: configure.ac: broken –{enable,disable}-xxx options (4.1.x)
  • Bug #2842: IPS mode crash under load
  • Bug #2855: Suricata does not bridge host <-> hw rings (Affects FreeBSD 11-STABLE, FreeBSD 12 and FreeBSD 13-CURRENT)
  • Bug #2862: pcre related FP in HTTP inspection (4.1.x)
  • Bug #2865: Suricata rule sid:2224005 SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) not works (4.1.x)
  • Feature #2774: pcap multi dev support for Windows

Special thanks

Edwin van Vliet, Mats Klepsland, Pierre Chifflier, Alexander Gozman, Fabrice Fontaine, Jingyu Yang, Murat Balaban, Pascal Delalande

Trainings

2019 Training Calendar has been posted. There are still seats available for next weeks Advanced Deployment and Threat Hunting training in Washington, D.C. See https://suricata-ids.org/training/

Suricon

Suricon 2018 was a great success and the 2019 location has been announced: Amsterdam. Please consider becoming a sponsor! https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.2 released

Much sooner than planned we are releasing 4.1.2. The 4.1.1 process didn’t go as planned. First the tarball was missing the vendored Rust crates. Then we found that Suricata-Update didn’t properly function on CentOS 7, Ubunut 14.04 and other slightly older distros. Then last minute we found yet another Suricata-Update bug.

So despite it being so close to the holidays for many, we decided to push 4.1.2 out already. Apologies for the inconvenience this may cause.

Other than the issues mention above, we did also fix some additional issues. SMB logging accuracy was improved, DNS detection and logging accuracy was improved and some documentation updates are included as well.

After the holidays are over we’re going to review our QA for both Suricata and Suricata-Update, so we can avoid issue like this in the future.

Changes

  • Feature #1863: smtp: improve pipelining support
  • Feature #2748: bundle libhtp 0.5.29
  • Feature #2749: bundle suricata-update 1.0.3
  • Bug #2682: python-yaml Not Listed As Ubuntu Prerequisite
  • Bug #2736: DNS Golden Transaction ID – detection bypass
  • Bug #2745: Invalid detect-engine config could lead to segfault
  • Bug #2752: smb: logs for IOCTL and DCERPC have tree_id value of 0

Special thanks

Philippe Antoine, Alexey Vishnyakov

Download

https://www.openinfosecfoundation.org/downloads/suricata-4.1.2.tar.gz

Suricata 4.1.1 available!

suri-400x400

We are pleased to announce Suricata 4.1.1. This release fixes a number of issues found 4.1. It also adds EVE DNSv1 support for Rust builds.

Changes

  • Feature #2637: af-packet: improve error output for BPF loading failure
  • Feature #2671: Add Log level to suricata.log when using JSON type
  • Bug #2502: suricata.c ConfigGetCaptureValue – PCAP/AFP fallthrough to strip_trailing_plus
  • Bug #2528: krb parser not always parsing tgs responses
  • Bug #2633: Improve errors handling in AF_PACKET
  • Bug #2653: llc detection failure in configure.ac
  • Bug #2677: coverity: ja3 potential memory leak
  • Bug #2679: build with profiling enabled on generates compile warnings
  • Bug #2704: DNSv1 for Rust enabled builds.
  • Bug #2705: configure: Test for PyYAML and disable suricata-update if not installed.
  • Bug #2716: Stats interval are 1 second too early each tick
  • Bug #2717: nfs related panic in 4.1
  • Bug #2719: Failed Assertion, Suricata Abort – util-mpm-hs.c line 163 (4.1.x)
  • Bug #2723: dns v2 json output should always set top-level rrtype in responses
  • Bug #2730: rust/dns/lua – The Lua calls for DNS values when using Rust don’t behave the same as the C implementation.
  • Bug #2731: multiple instances of transaction loggers are broken
  • Bug #2734: unix runmode deadlock when using too many threads
  • Bundled Suricata-Update was updated to 1.0.1

Download

https://www.openinfosecfoundation.org/download/suricata-4.1.1.tar.gz

Special thanks

Jason Taylor, Eric Urban, Mats Klepsland, Pierre Chifflier

Trainings

The 2019 calendar of trainings will be out soon – check back here or follow us on Twitter (@OISFoundation) for all training announcements

Suricon

Suricon 2018 was a great success and the 2019 location has been announced: Amsterdam. Please consider becoming a sponsor! https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.0 released!

We are thrilled to announce Suricata 4.0. This is a major new release, improving detection capabilities, adding new output options and more protocols.suri-400x400

Improved Detection

Based on valuable feedback from the rule writing teams at Emerging Threats and Positive Technologies we’ve added and improved many rule keywords for inspecting HTTP, SSH and other protocols. TLS additions were contributed by Mats Klepsland at NorCERT, including decoding, logging and matching on TLS serial numbers. Additionally, Suricata now allows rule writers to specify who’s the target in a signature. This information is used in EVE JSON logging to give more context with alerts.

TLS improved, NFS added

More on the TLS side: A major new feature is support for STARTTLS in SMTP and FTP. TLS sessions will now be logged in these cases. More goodness from Mats Klepsland. Also, TLS session resumption logging is now supported thanks to the work of Ray Ruvinskiy. Additional TLS logging improvements were done by Paulo Pacheco.

NFS decoding, logging and file extraction was added as part of the experimental Rust support. Read on for more information about Rust.

More EVE JSON

EVE is extended in several ways:

  • in the case of encapsulated traffic both the inner and outer ip addresses and ports are logged
  • the ‘vars’ facility logs flowbits and other vars. This can also be used to log data extracted from traffic using a PCRE statement in rules
  • EVE can now be rotated based on time
  • EVE was extended to optionally log the HTTP request and/or response bodies
  • the (partial) flow record is added to alert records.

The ‘vars’ facility is one of the main improvements here, as it is now possible for a signature to accurately extract information for logging. For instance, a signature can extract an advertised software version or other information such as the recipient of an email. [https://blog.inliniac.net/2016/12/20/suricata-bits-ints-and-vars/]

First Step into a Safer Future

This is the first release in which we’ve implemented parts in the Rust language using the Nom parser framework. This work is inspired by Pierre Chiffliers’ (ANSSI), talk at SuriCon 2016 (pdf). By compiling with –enable-rust you’ll get a basic NFS parser and a re-implementation of the DNS parser. Feedback on this is highly appreciated.

The Rust support is still experimental, as we are continuing to explore how it functions, performs and what it will take to support it in the community. Additionally we included Pierre Chiffliers Rust parsers work. This uses external Rust parser ‘crates’ and is enabled by using –enable-rust-experimental. Initially this adds a NTP parser.

Under the Hood

A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode. First steps in TCP GAP recovery were taken, with implementations for DNS and NFS.

For developers, this release makes extending the detection engine with high performance keywords a lot easier. Adding a new high performance keyword using multi pattern matching does now requires only a few lines of code.

Documentation

David Wharton at SecureWorks has created a section in the documentation for rule writers who have a background in Snort. It documents changes that are relevant for writing rules.

Next steps

Based on the feedback we’ll get we’re expecting to do a 4.0.1 release in a month or so. Then we’ll start work on the next major release, which is 4.1. This is planned for late fall, ETA before SuriCon in Prague.

Feature tickets

  • Feature #806: Implement STARTTLS support
  • Feature #2006: tls: decode certificate serial number
  • Feature #1969: TLS transactions with session resumption are not logged
  • Feature #2129: nfs: parser, logger and detection
  • Feature #2130: dns: rust parser with stateless behaviour
  • Feature #2131: nfs: implement GAP support
  • Feature #2163: ntp parser
  • Feature #2164: rust: external parser crate support
  • Feature #2077: Additional HTTP Header Contents and Negation
  • Feature #2011: eve.alert: print outside IP addresses on alerts on traffic inside tunnels
  • Feature #2095: eve: http body in alert event
  • Feature #1978: Using date in logs name
  • Feature #1998: eve.tls: custom TLS logging
  • Feature #2046: Support custom file permissions per logger
  • Feature #2123: unix-socket: additional runmodes
  • Feature #2132: eve: flowbit and other vars logging
  • Feature #2156: Add app_proto or partial flow entry to alerts
  • Feature #744: Teredo configuration
  • Feature #2061: lua: get timestamps from flow
  • Feature #1953: lua: expose flow_id
  • Feature #1748: lua: expose tx in alert lua scripts
  • Feature #1636: Signal rotation of unified2 log file without restart
  • Feature #2133: unix socket: add/remove hostbits
  • Feature #805: Add support for applayer change

For all other closed tickets please see the full changelog of 4.0.

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.0.tar.gz

Special thanks

Mats Klepsland – for his major contributions: many EVE and TLS features

Pierre Chifflier – for paving the way for the Rust experiment and being very helpful while learning Rust and Nom.

Additionally: Abdullah Ada, Jérémy Beaume, Sebastian Garcia, Alexander Gozman, Giuseppe Longo, Paulo Pacheco, Selivanov Pavel, Ray Ruvinskiy, Peter Sanders, David Wharton, Jon Zeolla, the AFL project and Coverity Scan.

Suricata Trainings and Events

We have several community events and trainings on the calendar and in the works for 2017… here are some of the highlights:

  • 5-Day Developer Deep Dive Training – Sept 11 – 15, 2017, Cork, Ireland – led by Victor Julien, Eric Leblond, and Jason Ish
  • Rule Writing Training @ DerbyCon – Sept 20 – 24, 2017 – SOLD OUT!
  • Rule Writing Training @ SuriCon – Nov 13 – 14, 2017
  • 2-Day Suricata Training @ SuriCon – Nov 13 – 14, 2017
  • SuriCon 2017 – Nov 15 – 17, 2017, Prague

Details and registration for all our events can be found at https://suricata_events.eventbrite.com. Don’t delay as space is limited.

We also offer custom training events for your team – contact us at info@oisf.net for details.

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.0.2 released

We are pleased to announce Suricata 3.0.2. The release addresses various issues affecting stability. Libhtp 0.5.20 is bundled.suri-400x400

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.0.2.tar.gz

Special thanks

ANSSI, Stamus Networks, NorCert, AFL project, CoverityScan

Mats Klepsland, Aleksey Katargin, David Diallo

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.11 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.11. This release fixes a number of important issues in the 2.0 series.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.11.tar.gz

Changes

  • Bug #1572: 2.0.8 FlowGetKey flow-hash.c:240 segmentation fault (icmp destination unreachable)
  • Bug #1637: drop log crashes
  • Bug #1639: 2.0.x: Fix non thread safeness of Prelude analyzer
  • Bug #1649: DER parsing issue
  • Bug #1651: HTTP body tracking using excessive memory
  • Bug #1652: SMTP parsing issue (2.0.x)
  • Bug #1653: DNS over TCP parsing issue (2.0.x)
  • Bug #1654: TCP reassembly bug (2.0.x)

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Mark Webb-Johnson
  • Nick Jones
  • Hayder Sinan
  • Samiux A

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. Paris in July, Barcelona in November: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.10 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.10. This release fixes a number of important issues in the 2.0 series.

A number of other issues were fixed. Upgrading is highly recommended.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.10.tar.gz

Changes

  • Bug #1596: dns parser issue reported & fixed by Aaron Campbell
  • Bug #1554: stored: false in files log when files were actually stored
  • Feature #1581: support LINKTYPE_NULL

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Aaron Campbell
  • Giuseppe Longo
  • Greg Siemon

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. Paris in July, Barcelona in November: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.9 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.9. This release fixes a number of issues in the 2.0 series.

Couple of important fixes: defrag evasion, a crash when using certain rules (mixing regular content and relative bytejumps with dce option) and better detection of TCP retransmissions with different data.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.9.tar.gz

Changes

  • Bug#1558: stream: retransmission not detected (2.0.x)
  • Bug #1550: Segmentation Fault at detect-engine-content-inspection.c:438
  • Bug #1564: defrag: evasion issue
  • Bug #1431: stream: last_ack update issue leading to stream gaps (2.0.x)
  • Bug #1483: 2.0.x backport: Leading whitespace in flowbits variable names
  • Bug #1490: http_host payload validation erroring on uppercase PCRE metacharacters
  • Bug #1501: 2.0.x backport: Add HUP coverage to output json-log
  • Bug #1510: 2.0.x: address var parsing issue
  • Bug #1513: stream_size <= and >= modifiers function as < and > (equality is not functional) (2.0.x)
  • Update bundled libhtp to 0.5.18

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Jérémy Beaume
  • Erik Hjelmvik
  • Alessandro Guido
  • Alexandre Macabies
  • Darren Spruell
  • Jay MJ
  • Charles Smutz

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

Training & Support

Need help installing, updating, validating and tuning Suricata? We have a training coming up in Barcelona in November: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.