Suricata 4.0.7 available!
We’re pleased to announce Suricata 4.0.7.
Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.0.7.tar.gz
EOL announcement
The Suricata 4.0.x branch will go end of life in 2 months, after which it will no longer be updated. If you are still on 4.0.x, it’s recommended that you start planning the upgrade to 4.1.x.
Changes
- Bug #2714: Failed Assertion, Suricata Abort – util-mpm-hs.c line 163
- Bug #2735: unix runmode deadlock when using too many threads (4.0.x)
- Bug #2794: Python 3 unicode issue in Rust C header generator on FreeBSD
- Bug #2824: rule reload with workers mode and NFQUEUE not working stable (4.0.x)
- Bug #2825: TCP FIN/ACK, RST/ACK in HTTP – detection bypass (4.0.x)
- Bug #2826: afpacket doesn’t wait for all capture threads to start (4.0.x)
- Bug #2827: DNS Golden Transaction ID – detection bypass (4.0.x)
- Bug #2828: Invalid detect-engine config could lead to segfault (4.0.x)
- Bug #2830: suricata.c ConfigGetCaptureValue – PCAP/AFP fallthrough to strip_trailing_plus (4.0.x)
- Bug #2831: Stats interval are 1 second too early each tick (4.0.x)
- Bug #2832: rust/dns/lua – The Lua calls for DNS values when using Rust don’t behave the same as the C implementation. (4.0.x)
- Bug #2863: out of bounds read in detection
- Feature #2829: smtp: improve pipelining support (4.0.x)
Special thanks
Philippe Antoine, Alexander Gozman, Fabrice Fontaine, Murat Balaban
Trainings
The 2019 Training Calendar has been posted. There are still seats available for next weeks Advanced Deployment and Threat Hunting training in Washington, D.C. See https://suricata-ids.org/training/
SuriCon
Suricon 2018 was a great success and the 2019 location and dates have been announced: October 30 – November 1, 2019 in Amsterdam. Please consider becoming a sponsor! https://suricon.net/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.
Suricata 4.0.6 available!
We are pleased to announce Suricata 4.0.6. This is a security update fixing a SMTP crash issue, as well as a fair number of regular issues.
Security
SMTP crash issue was fixed: CVE-2018-18956
Changes
- Bug #2568: negated fileext and filename do not work as expected (4.0.x)
- Bug #2576: filemd5 is not fired in some cases when there are invalid packets
- Bug #2607: File descriptor leak in af-packet mode (4.0.x)
- Bug #2634: Improve errors handling in AF_PACKET (4.0.x)
- Bug #2658: smtp segmentation fault (4.0.x)
- Bug #2664: libhtp 0.5.28 (4.0.x)
- Support #2512: http events – Weird unicode characters and truncation in some of http_method/http_user_agent fields
- Support #2546: Suricata 4.0.x blocking issues
Download
https://www.openinfosecfoundation.org/download/suricata-4.0.6.tar.gz
Special thanks
Maurizio Abba, Sean Cloherty
Trainings
Check out the latest training offerings at https://suricata-ids.org/training/
The 2019 calendar of trainings will be out soon – check back here or follow us on Twitter (@OISFoundation) for all training announcements
Suricon 2018
Suricon 2018 Vancouver is next week and it’s still possible to join! https://suricon.net/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.
Suricata 4.0.5 available!
We are pleased to announce Suricata 4.0.5. This is a security update fixing a number of security issues, as well as a fair number of regular issues.
Security
CVE-2018-10242, CVE-2018-10244 (suricata)
CVE-2018-10243 (libhtp)
Changes
- Bug #2480: http eve log data source/dest flip (4.0.x)
- Bug #2482: HTTP connect: difference in detection rates between 3.1 and 4.0.x
- Bug #2531: yaml: ConfYamlHandleInclude memleak (4.0.x)
- Bug #2532: memleak: when using app-layer event rules without rust
- Bug #2533: Suricata gzip unpacker bypass (4.0.x)
- Bug #2534: Suricata stops inspecting TCP stream if a TCP RST was met (4.0.x)
- Bug #2535: Messages with SC_LOG_CONFIG level are logged to syslog with EMERG priority (4.0.x)
- Bug #2537: libhtp 0.5.27 (4.0.x)
- Bug #2540: getrandom prevents any suricata start commands on more later OS’s (4.0.x)
- Bug #2544: ssh out of bounds read (4.0.x)
- Bug #2545: enip out of bounds read (4.0.x)
Download
https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz
Special thanks
Henning Perl, Kirill Shipulin, Alexander Gozman, Elazar Broad, Pierre Chifflier, Maurizio Abba, Renato Botelho
Trainings
Check out the latest training offerings at https://suricata-ids.org/training/
SuriCon 2018
SuriCon 2018 Vancouver agenda is up! https://suricon.net/agenda-vancouver/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 4.0.4 available!
We are pleased to announce Suricata 4.0.4. This is a security update fixing a number of security issues, as well as a fair number of regular issues.
Security
CVE-2018-6794 was requested for issue #2440
Changes
- Bug #2306: suricata 4 deadlocks during failed output log reopening
- Bug #2361: rule reload hangup
- Bug #2389: BUG_ON asserts in AppLayerIncFlowCounter (4.0.x)
- Bug #2392: libhtp 0.5.26 (4.0.x)
- Bug #2422: [4.0.3] af_packet: a leak that (possibly) breaks an inline channel
- Bug #2438: various config parsing issues
- Bug #2439: Fix timestamp offline when pcap timestamp is zero (4.0.x)
- Bug #2440: stream engine bypass issue (4.0.x)
- Bug #2441: der parser: bad input consumes cpu and memory (4.0.x)
- Bug #2443: DNP3 memcpy buffer overflow (4.0.x)
- Bug #2444: rust/dns: Core Dump with malformed traffic (4.0.x)
- Bug #2445: http bodies / file_data: thread space creation writing out of bounds
Download
https://www.openinfosecfoundation.org/download/suricata-4.0.4.tar.gz
Special thanks
Wolfgang Hotwagner, Kirill Shipulin, Pierre Chifflier, Alexander Gozman, Martin Natano, Maurizio Abba, Nick Price, Philippe Antoine, AFL
SuriCon 2018
Call for presentations is open and tickets for SuriCon 2018 are available: https://suricon.net/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 3.1.3 released!
We’re proud to announce Suricata 3.1.3. This release improves DNS logging accuracy. Other than that it is mostly a collection of smaller fixes.This release fixes some important issues, so we highly recommend updating.
Changes
- Bug #1861: Suricata with multitenancy does not start in 3.1/3.1.1
- Bug #1889: Suricata doesn’t error on missing semicolon
- Bug #1910: libhtp 0.5.23 (3.1.x)
- Bug #1912: http.memcap reached condition can lead to dead lock
- Bug #1913: af-packet fanout detection broken on Debian Jessie
- Bug #1933: unix-command socket created with last character missing (3.1.x)
- Bug #1934: make install-full does not install tls-events.rules (3.1.x)
- Bug #1941: Can’t set fast_pattern on tls_sni content (3.1.x)
- Bug #1942: dns – back to back requests results in loss of response (3.1.x)
- Bug #1943: Check redis reply in non pipeline mode (3.1.x)
Get the release here:
https://www.openinfosecfoundation.org/download/suricata-3.1.3.tar.gz
Special thanks
Paulo Pacheco, Coverity Scan
Known issues & missing features
If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on. See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.
SuriCon 2.0
Join us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. Agenda and speakers are now available, including keynote speakers Ron Gula and Liam Randall. Please see: http://suricon.net/
Training & Support
Need help installing, updating, validating, tuning and extending Suricata? There is a training November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/
For support options also see https://suricata-ids.org/support/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 3.1.2 released!
We’re proud to announce Suricata 3.1.2. This release fixes some important issues, so we highly recommend updating.
Changes
- Feature #1830: support ‘tag’ in eve log
- Feature #1870: make logged flow_id more unique
- Feature #1874: support Cisco Fabric Path / DCE
- Feature #1885: eve: add option to log all dropped packets
- Feature #1886: dns: output filtering
- Bug #1849: ICMPv6 incorrect checksum alert if Ethernet FCS is present
- Bug #1853: fix dce_stub_data buffer
- Bug #1854: unified2: logging of tagged packets not working
- Bug #1856: PCAP mode device not found
- Bug #1858: Lots of TCP ‘duplicated option/DNS malformed request data’ after upgrading from 3.0.1 to 3.1.1
- Bug #1878: dns: crash while logging sshfp records
- Bug #1880: icmpv4 error packets can lead to missed detection in tcp/udp
- Bug #1884: libhtp 0.5.22
Get the release here:
http://www.openinfosecfoundation.org/download/suricata-3.1.2.tar.gz
Special thanks
Kirill Shipulin – Positive Technologies, Christoffer Hallstensen – NTNU Gjøvik, Pedro Marinho – Proofpoint, Tom Decanio – FireEye, Coverity Scan
Known issues & missing features
If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on. See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.
SuriCon 2.0
Join us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. Agenda and speakers are now available, including keynote speakers Ron Gula and Liam Randall. Please see: http://suricon.net/
Training & Support
Need help installing, updating, validating, tuning and extending Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/
For support options also see https://suricata-ids.org/support/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 3.1 released!
We’re proud to announce Suricata 3.1.
This release brings significant improvements on the performance side:
- Hyperscan integration for Multi Pattern Matcher and Single Pattern Matcher. If installed, Hyperscan is now the default.
- Rewrite of the detection engine, simplifying rule grouping. This improves performance, while reducing memory usage and start up time in many scenarios.
Packet capture got a lot of attention:
- AF_PACKET support for tpacket-v3 (experimental)
- NETMAP usability improvements, especially on FreeBSD
Config:
- Reorganised default configuration layout provides for intuitive and easy set up.
This release also comes with libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.
A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.
Other than that, lots of clean ups and optimizations:
- locking has been much simplified
- TCP and IPv6 decoder optimizations
- unittest clean ups
- AFL fuzz testing options were added
Have a look at the full change log
Changes since 3.1RC1
- AF_PACKETv2 is the default as v3 is still experimental
- NFQ runmode workers was fixed
Get the release here:
http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz
Special thanks
Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan
Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich
Known issues & missing features
In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on. See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.
SuriCon 2.0
Join us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/
Training & Support
Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/
For support options also see https://suricata-ids.org/support/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata 3.1RC1 is out!
We’re happy to announce Suricata 3.1RC1. The plan is to release the stable within a few weeks, so please help us test this release!
Lots of improvements on the performance side:
- Hyperscan integration for MPM and SPM. If installed, Hyperscan is now the default. See this guide.
- Rewrite of the detection engine, simplifying rule grouping. This reduces memory usage and startup time in many scenarios.
Packet capture got a lot of love:
- AF_PACKET support for tpacketv3
- NETMAP usability improvements, especially on FreeBSD
A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.
This release also bundles libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.
Other than that, lots of cleanups and optimizations:
- locking has been much simplified
- TCP and IPv6 decoder optimizations
- unittest cleanups
- AFL fuzzing options were added
Have a look at the full changelog: https://github.com/inliniac/suricata/blob/master/ChangeLog
Get the release here:
http://www.openinfosecfoundation.org/download/suricata-3.1RC1.tar.gz
Special thanks
Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan
Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich
Known issues & missing features
In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on. See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.
SuriCon 2.0
Join us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/
Training & Support
Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/
For support options also see https://suricata-ids.org/support/
About Suricata
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Please help us test Suricata 3.0.1RC1
We’re hoping for your feedback on a new release: Suricata 3.0.1RC1. We’ve fixed many issues in 3.0, including important stability issues and memory leaks. A final is expected within a week or so.
Get the new release here: http://www.openinfosecfoundation.org/download/suricata-3.0.1RC1.tar.gz
New Features
– Feature #1535: Expose the certificate itself in TLS-lua
– Feature #1696: improve logged flow_id
– Feature #1700: enable “relro” and “now” in compile options for 3.0
– Feature #1734: gre: support transparent ethernet bridge decoding
– Feature #1740: Create counters for decode-events errors
– updated bundled libhtp to 0.5.19
Fixes
Many issues were fixed, including stability issues and many (potential) memory leaks.
Full list: https://redmine.openinfosecfoundation.org/versions/81
Special thanks
We’d like to thank the following people and corporations for their contributions and feedback:
FireEye, ANSSI, Emerging Threats / Proofpoint, Stamus Networks,
NorCert, Ntop, Lastline, AFL project, CoverityScan
Tom Decanio, Mats Klepsland, Alexander Gozman, Aleksey Katargin
Maurizio Abba, Alessandro Guido, David Diallo, Giuseppe Longo
Jon Zeolla, Andreas Moe, Nicolas Thill, Travis Green, bladeswords
Alfredo Cardigliano, Rob Mosher, Andre ten Bohmer
About Suricata
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://suricon.net
If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/
For support options also see https://suricata-ids.org/support/
Suricata 3.0 Available!
We’re proud to announce Suricata 3.0. This is a major new release improving Suricata on many fronts.
Download
http://www.openinfosecfoundation.org/download/suricata-3.0.tar.gz
Features and Improvements
- improved detection options, including multi-tenancy and xbits
- performance and scalability much improved
- much improved accuracy and robustness
- Lua scripting capabilities expanded significantly
- many output improvements, including much more JSON
- NETMAP capture method support, especially interesting to FreeBSD users
- SMTP inspection and file extraction
For a full list of features added, please see:
https://redmine.openinfosecfoundation.org/versions/80
Upgrading
Upgrades from 2.0 to 3.0 should be mostly seamless. Here are some notes:
Special thanks
We’d like to thank the following people and corporations for their contributions and feedback:
FireEye, ProtectWise, ANSSI, Emerging Threats /
Proofpoint, Stamus Networks, Ntop, AFL project, CoverityScan
Aaron Campbell, Aleksey Katargin, Alessandro Guido,
Alexander Gozman, Alexandre Macabies, Alfredo Cardigliano,
Andreas Moe, Anoop Saldanha, Antti Tönkyrä, Bill Meeks,
Darien Huss, David Abarbanel, David Cannings, David Diallo,
David Maciejak, Duarte Silva, Eduardo Arada, Giuseppe Longo,
Greg Siemon, Hayder Sinan, Helmut Schaa, Jason Ish,
Jeff Barber, Ken Steele, lessyv, Mark Webb-Johnson,
Mats Klepsland, Matt Carothers, Michael Rash, Nick Jones,
Pierre Chifflier, Ray Ruvinskiy, Samiux A, Schnaffon,
Stephen Donnelly, sxhlinux, Tom DeCanio, Torgeir Natvig,
Travis Green, Zachary Rasmor
About Suricata
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://oisfevents.net
If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/
For support options also see https://suricata-ids.org/support/
EVENTS
- Suricata Advanced Deployment and Architecture Training - Paris, France
- Practical Signature Development for Suricata - Washington, DC
- Threat Hunting with Suricata (Network Security Monitoring) - Gothenborg, Sweden
- Hunting with Suricata (Network Security Monitoring) - Toronto, Canada
- Practical Signature Development for Suricata - Denver, CO
