Tag Archive | stable

Suricata 3.0.2 released

We are pleased to announce Suricata 3.0.2. The release addresses various issues affecting stability. Libhtp 0.5.20 is bundled.suri-400x400

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.0.2.tar.gz

Special thanks

ANSSI, Stamus Networks, NorCert, AFL project, CoverityScan

Mats Klepsland, Aleksey Katargin, David Diallo

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.11 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.11. This release fixes a number of important issues in the 2.0 series.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.11.tar.gz

Changes

  • Bug #1572: 2.0.8 FlowGetKey flow-hash.c:240 segmentation fault (icmp destination unreachable)
  • Bug #1637: drop log crashes
  • Bug #1639: 2.0.x: Fix non thread safeness of Prelude analyzer
  • Bug #1649: DER parsing issue
  • Bug #1651: HTTP body tracking using excessive memory
  • Bug #1652: SMTP parsing issue (2.0.x)
  • Bug #1653: DNS over TCP parsing issue (2.0.x)
  • Bug #1654: TCP reassembly bug (2.0.x)

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Mark Webb-Johnson
  • Nick Jones
  • Hayder Sinan
  • Samiux A

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. Paris in July, Barcelona in November: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.10 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.10. This release fixes a number of important issues in the 2.0 series.

A number of other issues were fixed. Upgrading is highly recommended.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.10.tar.gz

Changes

  • Bug #1596: dns parser issue reported & fixed by Aaron Campbell
  • Bug #1554: stored: false in files log when files were actually stored
  • Feature #1581: support LINKTYPE_NULL

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Aaron Campbell
  • Giuseppe Longo
  • Greg Siemon

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. Paris in July, Barcelona in November: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.9 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.9. This release fixes a number of issues in the 2.0 series.

Couple of important fixes: defrag evasion, a crash when using certain rules (mixing regular content and relative bytejumps with dce option) and better detection of TCP retransmissions with different data.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.9.tar.gz

Changes

  • Bug#1558: stream: retransmission not detected (2.0.x)
  • Bug #1550: Segmentation Fault at detect-engine-content-inspection.c:438
  • Bug #1564: defrag: evasion issue
  • Bug #1431: stream: last_ack update issue leading to stream gaps (2.0.x)
  • Bug #1483: 2.0.x backport: Leading whitespace in flowbits variable names
  • Bug #1490: http_host payload validation erroring on uppercase PCRE metacharacters
  • Bug #1501: 2.0.x backport: Add HUP coverage to output json-log
  • Bug #1510: 2.0.x: address var parsing issue
  • Bug #1513: stream_size <= and >= modifiers function as < and > (equality is not functional) (2.0.x)
  • Update bundled libhtp to 0.5.18

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Jérémy Beaume
  • Erik Hjelmvik
  • Alessandro Guido
  • Alexandre Macabies
  • Darren Spruell
  • Jay MJ
  • Charles Smutz

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

Training & Support

Need help installing, updating, validating and tuning Suricata? We have a training coming up in Barcelona in November: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.8 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.8. This release fixes a number of important issues in the 2.0 series.

The most important issue is a bug in the DER parser which is used to decode SSL/TLS certificates could crash Suricata. This issue was reported by Kostya Kortchinsky of the Google Security Team and was fixed by Pierre Chifflier of ANSSI.

Those processing large numbers of (untrusted) pcap files need to update as a malformed pcap could crash Suricata. Again, credits go to Kostya Kortchinsky.

A number of other issues were fixed. Upgrading is highly recommended.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.8.tar.gz

We have a new release key (the previous expired): http://www.openinfosecfoundation.org/download/OISF.pub (00C1B70D)

Changes

  • Bug #1450: tls parsing issue
  • Bug #1460: pcap parsing issue
  • Bug #1461: potential deadlock
  • Bug #1404: Alert-Debuglog not being rotated on SIGHUP
  • Bug #1420: inverted matching on incomplete session
  • Bug #1462: various issues in rule and yaml parsing

Security

The TLS/DER parsing issue has CVE-2015-0971 assigned to it.

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Kostya Kortchinsky of the Google Security Team
  • Pierre Chifflier of ANSSI
  • Sundar Jeyaraman of FireEye
  • Darien Huss — Emerging Threats
  • Alexander Gozman
  • AFL project
  • Coverity Scan

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. Paris in July, Barcelona in November: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.7 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.7. This release fixes a number of important issues in the 2.0 series.

Two major issues. The first was brought to our attention by the Yahoo Pentest Team. It’s a parsing issue in the DCERPC parser that can happen when Suricata runs out of memory. The exact scope of the problem isn’t clear, but it could certainly lead to crashes. RCE might theoretically be possible but looks like it’s very hard.

The second issue was reported by Darien Huss of Emerging Threats. This is technically a libhtp issue, but it affects Suricata detection and logging. Certain characters in the URI could confuse the parsing of the HTTP request line, leading to possible detection bypass for ‘http_uri’ and to incomplete logging of the URI. Libhtp 0.5.17 has been released to address this and is bundled in 2.0.7.

Other than that a bunch of improvements and fixes. It should work again on CentOS 5. Midstream TCP was improved and some performance optimizations for HTTP proxy traffic were made.

Upgrading is highly recommended.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.7.tar.gz

Changes

  • Bug #1385: DCERPC traffic parsing issue
  • Bug #1391: http uri parsing issue
  • Bug #1383: tcp midstream window issue
  • Bug #1318: A thread-sync issue in streamTCP
  • Bug #1375: Regressions in list keywords option
  • Bug #1387: pcap-file hangs on systems w/o atomics support
  • Bug #1395: dump-counters unix socket command failure
  • Optimization #1376: file list is not cleaned up

Security

The DCERPC parsing issue has CVE-2015-0928 assigned to it.

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • The Yahoo Pentest Team
  • Darien Huss — Emerging Threats
  • FireEye
  • Dennis Lee

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.6 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.6. This release fixes a number of important issues in the 2.0 series. The most important part is the fixing of evasion issues, therefore upgrading is highly recommended!

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.6.tar.gz

Changes

  • Bug #1364: evasion issues
  • Bug #1337: output-json: duplicate logging
  • Bug #1325: tls detection leads to tcp stream reassembly sequence gaps (IPS)
  • Bug #1192: Suricata does not compile on OS X/Clang due to redefinition of string functions
  • Bug #1183: pcap: cppcheck warning

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Martin Küchler

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.5 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.5. This release fixes a number of important issues in the 2.0 series.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.5.tar.gz

Changes

  • Bug #1190: http_header keyword not matching when SYN|ACK and ACK missing
  • Bug #1246: EVE output Unix domain socket not working
  • Bug #1272: Segfault in libhtp 0.5.15
  • Bug #1298: Filestore keyword parsing issue
  • Bug #1303: improve stream ‘bad window update’ detection
  • Bug #1304: improve stream handling of bad SACK values
  • Bug #1305: fix tcp session reuse for ssh/ssl sessions
  • Bug #1307: byte_extract, within combination not working
  • Bug #1326: pcre pkt/flowvar capture broken for non-relative matches
  • Bug #1329: Invalid rule being processed and loaded
  • Bug #1330: Flow memuse bookkeeping error (2.0.x)

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Jason Ish — Endace/Emulex
  • Ken Steele — Tilera
  • lessyv
  • Tom DeCanio — FireEye
  • Andreas Herz
  • Matt Carothers
  • Duane Howard
  • Edward Fjellskål
  • Giuseppe Longo

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.4 Available!

Photo by Eric Leblond

The OISF development team is pleased to announce Suricata 2.0.4. This release fixes a number of important issues in the 2.0 series.

This update fixes a bug in the SSH parser, where a malformed banner could lead to evasion of SSH rules and missing log entries. In some cases it may also lead to a crash. Bug discovered and reported by Steffen Bauch.

Additionally, this release also addresses a new IPv6 issue that can lead to evasion. Bug discovered by Rafael Schaefer working with ERNW GmbH.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.4.tar.gz

Changes

  • Bug #1276: ipv6 defrag issue with routing headers
  • Bug #1278: ssh banner parser issue
  • Bug #1254: sig parsing crash on malformed rev keyword
  • Bug #1267: issue with ipv6 logging
  • Bug #1273: Lua – http.request_line not working
  • Bug #1284: AF_PACKET IPS mode not logging drops and stream inline issue

Security

  • CVE-2014-6603

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0.3 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0.3. This release fixes a number of issues in the 2.0 series. Most importantly, this release addresses a number of IPv6 issues that can lead to evasion. Bugs discovered by Rafael Schaefer working with ERNW GmbH.

Download

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0.3.tar.gz

Changes

  • Bug #1236: fix potential crash in http parsing
  • Bug #1244: ipv6 defrag issue
  • Bug #1238: Possible evasion in stream-tcp-reassemble.c
  • Bug #1221: lowercase conversion table missing last value
  • Support #1207: Cannot compile on CentOS 5 x64 with –enable-profiling
  • Updated bundled libhtp to 0.5.15

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Rafael Schaefer working with ERNW GmbH
  • Antonios Atlasis working with ERNW GmbH
  • Alexander Gozman
  • sxhlinux
  • Ivan Ristic

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.