Tag Archive | suricata

Suricata 4.1 EOL update: support extended

Just a quick note that we’re planning to keep the 4.1 branch supported until at least the end of the year. We understand that lots of organizations are going through various levels of disruption currently.

Normally we’d announce the EOL date for 4.1 right about now, but we understand that upgrades like this may not be a priority in your organization, or that the risk of causing service disruptions is considered too high in the current situation.

As the end of 2020 nears we’ll provide another update on our 4.1 plans.

5.0, our current stable branch, will naturally be supported as well.

Work on the upcoming 6.0 is progressing nicely. The Suricata Dev team is already a virtual team with most of us routinely working from home, so disruption for us has so far been minimal.

Stay healthy!

Announcing forum.suricata.io

We’re happy to announce that for Suricata we’re going to trial a Discourse setup. Discourse is a “place for civilized discussion”. It is used by others in the open source community, such as Mozilla and the Rust Language project.

Join at https://forum.suricata.io/

Reasons for choosing Discourse

Easy to get started for users: the default forum style interface makes it easy to start interacting with the community. It also directly gives access to (participating in) discussions that predate the registration, something that is much harder in the current mailing lists. By enabling a number of ‘social logins’, signing up is also easy.

Trial goals

Goals of the trial are finding out how the community would use this platform, how we can manage it against various forms of unwanted activity and if we can see an uptick of users. Next to this we want to use the trial period to adjust settings, experiment with plugins and themes.

Trial steps

During the trial we will use the hosted version of Discourse, which is hosted by the developers of the platform. During the trial or at the end of the trial we’ll evaluate how well this worked for us. Discourse can also be self-hosted.

The trial will run until June 1st. Assuming the trial is successful, we will then start a transition phase where we will discourage the use of the old mailinglists. End of summer / early fall we’ll then disable them completely. We will keep the archives online of course.

Mailinglist

For people who dislike forums or in general dislike web based interfaces, Discourse offers a special ‘mailing list mode’. In this mode you can receive posts as emails, reply to them and start new topics as well. The mailinglist mode can be activated in the ‘preferences’ page of your account.

See https://forum.suricata.io/t/mailinglist-mode

Feedback

In the ‘Site Feedback’ category you can give feedback on the setup, predefined categories, moderation, etc. Please use this if you feel there are things that can be done to improve the usefulness of the platform.

See: https://forum.suricata.io/c/site-feedback/

Hope to see you at https://forum.suricata.io/

Suricata 5.0.2 released

We’re pleased to announce Suricata 5.0.2. This release fixes a number of issues found in the 5.0 branch.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-5.0.2.tar.gz

Changes

  • Bug #2993: Suricata 5.0.0beta1 memory allocation of 4294966034 bytes failed
  • Bug #3380: Segfault when using multi-detect
  • Bug #3400: smb: post-GAP file tx handling
  • Bug #3424: nfs: post-GAP some transactions never close
  • Bug #3425: nfs: post-GAP file tx handling
  • Bug #3433: coverity: CID 1456679: Memory – corruptions (NEGATIVE_RETURNS)
  • Bug #3434: coverity: CID 1456680: Incorrect expression (IDENTICAL_BRANCHES)
  • Bug #3469: gcc10: compilation failure unless -fcommon is supplied (5.0.x)
  • Bug #3473: Dropping privileges does not work with NFLOG (5.0.x)
  • Documentation #3423: readthedocs shows title of documentation as “Suricata unknown documentation”

Special thanks

Jason Taylor, Timo Sigurdsson, vanlink

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.7 released

We’re pleased to announce Suricata 4.1.7. This release fixes a number of issues found in the 4.1 branch.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.7.tar.gz

Changes

  • Bug #3417: –disable-geoip does not work (4.1.x)
  • Bug #3448: Suricata 4.1 Seg Fault: Socket Control pcap-file and corrupt pcap
  • Bug #3452: smb: post-GAP file tx handling (4.1.x)
  • Bug #3453: coverity: CID 1456680: Incorrect expression (IDENTICAL_BRANCHES) (4.1.x)
  • Bug #3470: gcc10: compilation failure unless -fcommon is supplied (4.1.x)
  • Bug #3471: nfs: post-GAP some transactions never close (4.1.x)
  • Bug #3472: nfs: post-GAP file tx handling (4.1.x)
  • Bug #3474: Dropping privileges does not work with NFLOG (4.1.x)

Special thanks

Danny Browning, Fabrice Fontaine, Timo Sigurdsson, vanlink

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 5.0.1 released

We’re pleased to announce Suricata 5.0.1. This release fixes a number of issues found in the 5.0 branch. There are still a number of open issues that we are working on. See our 5.0.2 target here: https://redmine.openinfosecfoundation.org/versions/142

This release fixes a number of IPv4 and TCP evasion issues reported by Nicolas Adba.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-5.0.1.tar.gz

Changes

  • Bug #1871: intermittent abort()s at shutdown and in unix-socket
  • Bug #2810: enabling add request/response http headers in master
  • Bug #3047: byte_extract does not work in some situations
  • Bug #3073: AC_CHECK_FILE on cross compile
  • Bug #3103: –engine-analysis warning for flow on an icmp request rule
  • Bug #3120: nfq_handle_packet error -1 Resource temporarily unavailable warnings
  • Bug #3237: http_accept not treated as sticky buffer by –engine-analysis
  • Bug #3254: tcp: empty SACK option leads to decoder event
  • Bug #3263: nfq: invalid number of bytes reported
  • Bug #3264: EVE DNS Warning about defaulting to v2 as version is not set.
  • Bug #3266: fast-log: icmp type prints wrong value
  • Bug #3267: Support for tcp.hdr Behavior
  • Bug #3275: address parsing: memory leak in error path
  • Bug #3277: segfault when test a nfs pcap file
  • Bug #3281: Impossible to cross-compile due to AC_CHECK_FILE
  • Bug #3284: hash function for string in dataset is not correct
  • Bug #3286: TCP evasion technique by faking a closed TCP session
  • Bug #3324: TCP evasion technique by overlapping a TCP segment with a fake packet
  • Bug #3328: bad ip option evasion
  • Bug #3340: DNS: DNS over TCP transactions logged with wrong direction.
  • Bug #3341: tcp.hdr content matches don’t work as expected
  • Bug #3345: App-Layer: Not all parsers register TX detect flags that should
  • Bug #3346: BPF filter on command line not honored for pcap file
  • Bug #3362: cross compiling not affecting rust component of surrcata
  • Bug #3376: http: pipelining tx id handling broken
  • Bug #3386: Suricata is unable to get MTU from NIC after 4.1.0
  • Bug #3389: EXTERNAL_NET no longer working in 5.0 as expected
  • Bug #3390: Eve log does not generate pcap_filename when Interacting via unix socket in pcap processing mode
  • Bug #3397: smtp: file tracking issues when more than one attachment in a tx
  • Bug #3398: smtp: ‘raw-message’ option file tracking issues with multi-tx
  • Bug #3399: smb: post-GAP some transactions never close
  • Bug #3401: smb1: ‘event only’ transactions for bad requests never close
  • Bug #3411: detect/asn1: crashes on packets smaller than offset setting
  • Task #3364: configure: Rust 1.37+ has cargo-vendor support bundled into cargo.
  • Documentation #2885: update documentation to indicate -i can be used multiple times
  • Bundle Suricata-Update 1.1.1
  • Bundle Libhtp 0.5.32

Special thanks

Nicolas Adba, Alexander Gozman, Ciprian, Daisu, EmilienCourt, Fabrice Fontaine, Pascal Delalande, Steven Hostetler, Wesley van der Ree, Jason Taylor

Trainings

See https://suricata_events.eventbrite.com/ for the current list of planned training sessions.

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.1.6 released

We’re pleased to announce Suricata 4.1.6. This release fixes a number of issues found in the 4.1 branch.

This release fixes a number of IPv4 and TCP evasion issues reported by Nicolas Adba.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.6.tar.gz

Changes

  • Bug #3276: address parsing: memory leak in error path (4.1.x)
  • Bug #3278: segfault when test a nfs pcap file (4.1.x)
  • Bug #3279: ikev2 enabled in config even if Rust is disabled
  • Bug #3325: lua issues on arm (fedora:29) (4.1.x)
  • Bug #3326: Static build with pcap fails (4.1.x)
  • Bug #3327: tcp: empty SACK option leads to decoder event (4.1.x)
  • Bug #3347: BPF filter on command line not honored for pcap file (4.1.x)
  • Bug #3355: DNS: DNS over TCP transactions logged with wrong direction. (4.1.x)
  • Bug #3356: DHCP: Slow down over time due to lack of detect flags (4.1.x)
  • Bug #3369: byte_extract does not work in some situations (4.1.x)
  • Bug #3385: fast-log: icmp type prints wrong value (4.1.x)
  • Bug #3387: suricata is logging tls log repeatedly if custom mode is enabled (4.1.x)
  • Bug #3388: TLS Lua output does not work without TLS log (4.1.x)
  • Bug #3391: Suricata is unable to get MTU from NIC after 4.1.0 (4.1.x)
  • Bug #3393: http: pipelining tx id handling broken (4.1.x)
  • Bug #3394: TCP evasion technique by overlapping a TCP segment with a fake packet (4.1.x)
  • Bug #3395: TCP evasion technique by faking a closed TCP session (4.1.x)
  • Bug #3402: smb: post-GAP some transactions never close (4.1.x)
  • Bug #3403: smb1: ‘event only’ transactions for bad requests never close (4.1.x)
  • Bug #3404: smtp: file tracking issues when more than one attachment in a tx (4.1.x)
  • Bug #3405: Filehash rule does not fire without filestore keyword
  • Bug #3410: intermittent abort()s at shutdown and in unix-socket (4.1.x)
  • Bug #3412: detect/asn1: crashes on packets smaller than offset setting (4.1.x)
  • Task #3367: configure: Rust 1.37+ has cargo-vendor support bundled into cargo (4.1.x)
  • Bundle Suricata-Update 1.0.6
  • Bundle Libhtp 0.5.32

Special thanks

Nicolas Adba, Mats Klepsland, Fabrice Fontaine

Trainings

See https://suricata_events.eventbrite.com/ for the current list of planned training sessions.

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Announcing Suricata 5.0.0

The OISF’s Suricata development team is proud to announce Suricata 5.0.0. This release brings many new features and improvements.

RDP, SNMP, FTP and SIP

Three new protocol parsers and loggers, all community contributions. Zach Kelly created a Rust RDP parser, while Giuseppe Longo created SIP support. Rust master Pierre Chifflier contributed SNMP support. Since RDP and SIP were merged late in our development cycle they are disabled by default in the configuration. For FTP we have added an EVE logging facility.

JA3S

After contributing JA3 support in Suricata 4.1, Mats Klepsland has been working on JA3S support. JA3S is now available to the rule language and in the TLS logging output.

Datasets

Still experimental at this time, the initial work to support datasets is part of this release. It allows matching on large amounts of data. It is controlled from the rule language and will work with any ‘sticky buffer’.

See documentation at https://suricata.readthedocs.io/en/suricata-5.0.0/rules/datasets.html

We’ve already heard of people using this with millions of IOCs.

Documentation

With the help of many community members we’ve been improving the user documentation. Please see: https://suricata.readthedocs.io/en/suricata-5.0.0/

HTTP evader

We’ve been working hard to cover the final set of HTTP evader cases. This work has mostly gone into the bundled libhtp 0.5.31.

Rust

The most visible is that our Rust support is no longer optional. We’re convinced that Rust is a perfect match for Suricata, and we plan to increase its footprint in our code base steadily. By making it mandatory we’re able to remove parallel implementations and focus fully on making the Rust code better.

Protocol Detection

The protocol detection engine has been extended to provide better accuracy as well as support for dealing with asynchronous flows. These async flows are sometimes picked up in the wrong direction and the protocol detection engine can now reverse them.

Decoder Anomaly records in EVE

A new log record type has been added: ‘anomaly’. This logs the stream and decoder events that are set by the packet decoders. This is inspired by Zeeks (Bro) ‘weird’ log.

EVE improvements

VLAN and capture interface is now part of many more EVE records, even if they are flow records or records based on flow time out.

An option to log all HTTP headers to the EVE http records has been added.

Packet Capture

Eric Leblond has been working hard to getting hardware offload support working for eBPF. On Netronome cards the eBPF based flow bypass can now be offloaded to the NIC. As eBPF is becoming a standard in the Linux space, we are hoping to see other hardware offload soon as well.

Netmap support has been rewritten so the more advanced features of netmap, such as vale switches, can be used now.

Napatech usability has been improved.

Rule language: Sticky Buffers

As discussed at the Suricon 2018 brainstorm session, a new rule keyword scheme is being introduced. It takes the existing ‘sticky buffer’ approach with new keyword names to avoid confusion. The new scheme is <proto>.<buffer>, so for example ‘http.uri’ for the URI inspection.

A number of HTTP keywords have been added.

Unified Lua inspection mixed with the sticky buffers has also been implemented.

Python 3

With Python 2’s EOL approaching, we’ve made sure that all Suricata’s python code is Python 3 compliant.

Removals

Following our deprecation policy, we have removed the following parts: the plain text dns.log, the old files-json.log and support for the Tilera architecture.

https://suricata-ids.org/about/deprecation-policy/

All tickets

Beta 1 tickets: https://redmine.openinfosecfoundation.org/versions/115

RC 1 tickets: https://redmine.openinfosecfoundation.org/versions/128

Final tickets: https://redmine.openinfosecfoundation.org/versions/129

Download

https://suricata-ids.org/download/

Suricata 4.1.5 released

We’re pleased to announce Suricata 4.1.5. This release fixes a number of issues found in the 4.1 branch. Some of the issues are security issues, so upgrading is highly recommended.

This release also adds VXLAN support, contributed by Henrik Lund Kramshoej. This was accepted into the stable branch to support Suricata deployment in AWS. Next GeoIP2 support was contributed by Bill Meeks. This was added to stable as GeoIP1 is end of life and the databases are no longer updated.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.5.tar.gz

Changes

  • Feature #3068: protocol parser: vxlan (4.1.x)
  • Bug #2841: False positive alerts firing after upgrade suricata 3.0 -> 4.1.0 (4.1.x)
  • Bug #2966: filestore (v1 and v2): dropping of “unwanted” files (4.1.x)
  • Bug #3008: rust: updated libc crate causes depration warnings (4.1.x)
  • Bug #3044: tftp: missing logs because of broken tx handling (4.1.x)
  • Bug #3067: GeoIP keyword depends on now discontinued legacy GeoIP database (4.1.x)
  • Bug #3094: Fedora rawhide af-packet compilation err (4.1.x)
  • Bug #3123: bypass keyword: Suricata 4.1.x Segmentation Faults (4.1.x)
  • Bug #3129: Fixes warning about size of integers in string formats (4.1.x)
  • Bug #3159: SC_ERR_PCAP_DISPATCH with message “error code -2” upon rule reload completion (4.1.x)
  • Bug #3164: Suricata 4.1.4: NSS Shutdown triggers crashes in test mode
  • Bug #3168: tls: out of bounds read
  • Bug #3170: defrag: out of bounds read
  • Bug #3173: ipv4: ts field decoding oob read
  • Bug #3175: File_data inspection depth while inspecting base64 decoded data (4.1.x)
  • Bug #3184: decode/der: crafted input can lead to resource starvation
  • Bug #3186: Multiple Content-Length headers causes HTP_STREAM_ERROR (4.1.x)
  • Bug #3187: GET/POST HTTP-request with no Content-Length, http_client_body miss (4.1.x)

Special thanks

Bill Meeks, Henrik Lund Kramshoej, Yujie Zhao, Alexander Bluhm

Sirko Höer — Code Intelligence GmbH, DCSO.

Trainings

See https://suricata_events.eventbrite.com/ for the current list of planned training sessions.

Suricon

Suricon 2019 will happen in Amsterdam in little over a month! For tickets, trainings and sponsorships, see: https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Call for testing: announcing Suricata 5.0.0-beta1

We’re happy to present the first beta in the upcoming Suricata 5.0 series. In 5.0 we’re making a couple of large changes.

Rust

The most visible is that our Rust support is no longer optional. We’re convinced that Rust is a perfect match for Suricata, and we plan to increase its footprint in our code base steadily. By making it mandatory we’re able to remove parallel implementations and focus fully on making the Rust code better.

Protocol Detection

The protocol detection engine has been extended to provide better accuracy as well as support for dealing with asynchronous flows. These async flows are sometimes picked up in the wrong direction and the protocol detection engine can now reverse them.

Decoder Anomaly records in EVE

A new log record type has been added: ‘anomaly’. This logs the stream and decoder events that are set by the packet decoders. This is inspired by Zeeks (Bro) ‘weird’ log.

EVE improvements

VLAN and capture interface is now part of many more EVE records, even if they are flow records or records based on flow time out.

An option to log all HTTP headers to the EVE http records has been added.

Packet Capture

Netmap support has been rewritten so the more advanced features of netmap, such as vale switches, can be used now.

Napatech usability has been improved.

Rule language: Sticky Buffers (in progress)

As discussed at the Suricon 2018 brainstorm session, a new rule keyword scheme is being introduced. It takes the existing ‘sticky buffer’ approach with new keyword names to avoid confusion. The new scheme is <proto>.<buffer>, so for example ‘http.uri’ for the URI inspection.

A number of HTTP keywords have been added.

Unified Lua inspection mixed with the sticky buffers has also been implemented.

Python 3

With Python 2’s EOL approaching, we’ve made sure that all Suricata’s python code is Python 3 compliant.

Removals

Following our deprecation policy, we have removed the following parts: the plain text dns.log, the old files-json.log and support for the Tilera architecture.

https://suricata-ids.org/about/deprecation-policy/

Many more things

https://redmine.openinfosecfoundation.org/versions/115

Time line

We’re planning the first release candidate in about a month, with the final about a month later. So early July.

Get involved

If you’re interested in helping out, we’d be happy to accept patches, documentation, test reports and other kind of feedback.

Download from:

https://www.openinfosecfoundation.org/downloads/suricata-5.0.0-beta1.tar.gz

Suricata 4.1.4 released

We’re pleased to announce Suricata 4.1.4. This release fixes a number of issues found in the 4.1 branch.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.4.tar.gz

Changes

  • Bug #2870: pcap logging with lz4 coverity warning
  • Bug #2883: ssh: heap buffer overflow
  • Bug #2884: mpls: heapbuffer overflow in file decode-mpls.c
  • Bug #2887: decode-ethernet: heapbuffer overflow in file decode-ethernet.c
  • Bug #2888: 4.1.3 core in HCBDCreateSpace
  • Bug #2894: smb 1 create andx request does not parse the filename correctly
  • Bug #2902: rust/dhcp: panic in dhcp parser
  • Bug #2903: mpls: cast of misaligned data leads to undefined behavior
  • Bug #2904: rust/ftp: panic in ftp parser
  • Bug #2943: rust/nfs: integer underflow
  • This release includes Suricata-Update 1.0.5

Special thanks

Alexander Bluhm, Giuseppe Longo, Max Fillinger, Wesley van der Ree, Jason Taylor
Sirko Höer — Code Intelligence GmbH, DCSO.

Trainings

See https://suricata_events.eventbrite.com/ for the current list of planned training sessions.

Suricon

The CFP for Suricon 2019 is open! Submit your talk proposal at: https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.