Tag Archive | tcp

Suricata 4.0.7 available!

We’re pleased to announce Suricata 4.0.7.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.0.7.tar.gz

EOL announcement

The Suricata 4.0.x branch will go end of life in 2 months, after which it will no longer be updated. If you are still on 4.0.x, it’s recommended that you start planning the upgrade to 4.1.x.

Changes

  • Bug #2714: Failed Assertion, Suricata Abort – util-mpm-hs.c line 163
  • Bug #2735: unix runmode deadlock when using too many threads (4.0.x)
  • Bug #2794: Python 3 unicode issue in Rust C header generator on FreeBSD
  • Bug #2824: rule reload with workers mode and NFQUEUE not working stable (4.0.x)
  • Bug #2825: TCP FIN/ACK, RST/ACK in HTTP – detection bypass (4.0.x)
  • Bug #2826: afpacket doesn’t wait for all capture threads to start (4.0.x)
  • Bug #2827: DNS Golden Transaction ID – detection bypass (4.0.x)
  • Bug #2828: Invalid detect-engine config could lead to segfault (4.0.x)
  • Bug #2830: suricata.c ConfigGetCaptureValue – PCAP/AFP fallthrough to strip_trailing_plus (4.0.x)
  • Bug #2831: Stats interval are 1 second too early each tick (4.0.x)
  • Bug #2832: rust/dns/lua – The Lua calls for DNS values when using Rust don’t behave the same as the C implementation. (4.0.x)
  • Bug #2863: out of bounds read in detection
  • Feature #2829: smtp: improve pipelining support (4.0.x)

Special thanks

Philippe Antoine, Alexander Gozman, Fabrice Fontaine, Murat Balaban

Trainings

The 2019 Training Calendar has been posted. There are still seats available for next weeks Advanced Deployment and Threat Hunting training in Washington, D.C. See https://suricata-ids.org/training/

SuriCon

Suricon 2018 was a great success and the 2019 location and dates have been announced: October 30 – November 1, 2019 in Amsterdam. Please consider becoming a sponsor! https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.0.6 available!

suri-400x400

We are pleased to announce Suricata 4.0.6.  This is a security update fixing a SMTP crash issue, as well as a fair number of regular issues.

Security

SMTP crash issue was fixed: CVE-2018-18956

Changes

  • Bug #2568: negated fileext and filename do not work as expected (4.0.x)
  • Bug #2576: filemd5 is not fired in some cases when there are invalid packets
  • Bug #2607: File descriptor leak in af-packet mode (4.0.x)
  • Bug #2634: Improve errors handling in AF_PACKET (4.0.x)
  • Bug #2658: smtp segmentation fault (4.0.x)
  • Bug #2664: libhtp 0.5.28 (4.0.x)
  • Support #2512: http events – Weird unicode characters and truncation in some of http_method/http_user_agent fields
  • Support #2546: Suricata 4.0.x blocking issues

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.6.tar.gz

Special thanks

Maurizio Abba, Sean Cloherty

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

The 2019 calendar of trainings will be out soon – check back here or follow us on Twitter (@OISFoundation) for all training announcements

Suricon 2018

Suricon 2018 Vancouver is next week and it’s still possible to join! https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors and the community.

Suricata 4.0.5 available!

suri-400x400

We are pleased to announce Suricata 4.0.5.  This is a security update fixing a number of security issues, as well as a fair number of regular issues.

Security

CVE-2018-10242, CVE-2018-10244 (suricata)
CVE-2018-10243 (libhtp)

Changes

  • Bug #2480: http eve log data source/dest flip (4.0.x)
  • Bug #2482: HTTP connect: difference in detection rates between 3.1 and 4.0.x
  • Bug #2531: yaml: ConfYamlHandleInclude memleak (4.0.x)
  • Bug #2532: memleak: when using app-layer event rules without rust
  • Bug #2533: Suricata gzip unpacker bypass (4.0.x)
  • Bug #2534: Suricata stops inspecting TCP stream if a TCP RST was met (4.0.x)
  • Bug #2535: Messages with SC_LOG_CONFIG level are logged to syslog with EMERG priority (4.0.x)
  • Bug #2537: libhtp 0.5.27 (4.0.x)
  • Bug #2540: getrandom prevents any suricata start commands on more later OS’s (4.0.x)
  • Bug #2544: ssh out of bounds read (4.0.x)
  • Bug #2545: enip out of bounds read (4.0.x)

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz

Special thanks

Henning Perl, Kirill Shipulin, Alexander Gozman, Elazar Broad, Pierre Chifflier, Maurizio Abba, Renato Botelho

Trainings

Check out the latest training offerings at https://suricata-ids.org/training/

SuriCon 2018

SuriCon 2018 Vancouver agenda is up! https://suricon.net/agenda-vancouver/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 4.0.4 available!

suri-400x400

We are pleased to announce Suricata 4.0.4.  This is a security update fixing a number of security issues, as well as a fair number of regular issues.

Security

CVE-2018-6794 was requested for issue #2440

Changes

  • Bug #2306: suricata 4 deadlocks during failed output log reopening
  • Bug #2361: rule reload hangup
  • Bug #2389: BUG_ON asserts in AppLayerIncFlowCounter (4.0.x)
  • Bug #2392: libhtp 0.5.26 (4.0.x)
  • Bug #2422: [4.0.3] af_packet: a leak that (possibly) breaks an inline channel
  • Bug #2438: various config parsing issues
  • Bug #2439: Fix timestamp offline when pcap timestamp is zero (4.0.x)
  • Bug #2440: stream engine bypass issue (4.0.x)
  • Bug #2441: der parser: bad input consumes cpu and memory (4.0.x)
  • Bug #2443: DNP3 memcpy buffer overflow (4.0.x)
  • Bug #2444: rust/dns: Core Dump with malformed traffic (4.0.x)
  • Bug #2445: http bodies / file_data: thread space creation writing out of bounds

Download

https://www.openinfosecfoundation.org/download/suricata-4.0.4.tar.gz

Special thanks

Wolfgang Hotwagner, Kirill Shipulin, Pierre Chifflier, Alexander Gozman, Martin Natano, Maurizio Abba, Nick Price, Philippe Antoine, AFL

SuriCon 2018

Call for presentations is open and tickets for SuriCon 2018 are available: https://suricon.net/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1.3 released!

We’re proud to announce Suricata 3.1.3. This release improves DNS logging accuracy. Other than that it is mostly a collection of smaller fixes.This release fixes some important issues, so we highly recommend updating.suri-400x400

Changes

  • Bug #1861: Suricata with multitenancy does not start in 3.1/3.1.1
  • Bug #1889: Suricata doesn’t error on missing semicolon
  • Bug #1910: libhtp 0.5.23 (3.1.x)
  • Bug #1912: http.memcap reached condition can lead to dead lock
  • Bug #1913: af-packet fanout detection broken on Debian Jessie
  • Bug #1933: unix-command socket created with last character missing (3.1.x)
  • Bug #1934: make install-full does not install tls-events.rules (3.1.x)
  • Bug #1941: Can’t set fast_pattern on tls_sni content (3.1.x)
  • Bug #1942: dns – back to back requests results in loss of response (3.1.x)
  • Bug #1943: Check redis reply in non pipeline mode (3.1.x)

Get the release here:

https://www.openinfosecfoundation.org/download/suricata-3.1.3.tar.gz

Special thanks

Paulo Pacheco, Coverity Scan

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. Agenda and speakers are now available, including keynote speakers Ron Gula and Liam Randall. Please see: http://suricon.net/

Training & Support

Need help installing, updating, validating, tuning and extending Suricata? There is a training November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1.2 released!

We’re proud to announce Suricata 3.1.2. This release fixes some important issues, so we highly recommend updating.suri-400x400

Changes

  • Feature #1830: support ‘tag’ in eve log
  • Feature #1870: make logged flow_id more unique
  • Feature #1874: support Cisco Fabric Path / DCE
  • Feature #1885: eve: add option to log all dropped packets
  • Feature #1886: dns: output filtering
  • Bug #1849: ICMPv6 incorrect checksum alert if Ethernet FCS is present
  • Bug #1853: fix dce_stub_data buffer
  • Bug #1854: unified2: logging of tagged packets not working
  • Bug #1856: PCAP mode device not found
  • Bug #1858: Lots of TCP ‘duplicated option/DNS malformed request data’ after upgrading from 3.0.1 to 3.1.1
  • Bug #1878: dns: crash while logging sshfp records
  • Bug #1880: icmpv4 error packets can lead to missed detection in tcp/udp
  • Bug #1884: libhtp 0.5.22

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1.2.tar.gz

Special thanks

Kirill Shipulin – Positive Technologies, Christoffer Hallstensen – NTNU Gjøvik, Pedro Marinho – Proofpoint, Tom Decanio – FireEye, Coverity Scan

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. Agenda and speakers are now available, including keynote speakers Ron Gula and Liam Randall. Please see: http://suricon.net/

Training & Support

Need help installing, updating, validating, tuning and extending Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1 released!

We’re proud to announce Suricata 3.1.suri-400x400

This release brings significant improvements on the performance side:

  • Hyperscan integration for Multi Pattern Matcher and Single Pattern Matcher. If installed, Hyperscan is now the default.
  • Rewrite of the detection engine, simplifying rule grouping. This improves performance, while reducing memory usage and start up time in many scenarios.

Packet capture got a lot of attention:

  • AF_PACKET support for tpacket-v3 (experimental)
  • NETMAP usability improvements, especially on FreeBSD

Config:

  • Reorganised default configuration layout provides for intuitive and easy set up.

This release also comes with libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.

A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.

Other than that, lots of clean ups and optimizations:

  • locking has been much simplified
  • TCP and IPv6 decoder optimizations
  • unittest clean ups
  • AFL fuzz testing options were added

Have a look at the full change log

Changes since 3.1RC1

  • AF_PACKETv2 is the default as v3 is still experimental
  • NFQ runmode workers was fixed

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz

Special thanks

Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan

Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

dcJoin us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 3.1RC1 is out!

Photo by Eric Leblond

We’re happy to announce Suricata 3.1RC1. The plan is to release the stable within a few weeks, so please help us test this release!

Lots of improvements on the performance side:

  • Hyperscan integration for MPM and SPM. If installed, Hyperscan is now the default. See this guide.
  • Rewrite of the detection engine, simplifying rule grouping. This reduces memory usage and startup time in many scenarios.

Packet capture got a lot of love:

  • AF_PACKET support for tpacketv3
  • NETMAP usability improvements, especially on FreeBSD

A new keyword ‘tls_sni’ was added, including MPM support. It allows matching on the TLS SNI field.

This release also bundles libhtp 0.5.20, in which we address a number of issues Steffen Ullrich of HTTP Evader reported.

Other than that, lots of cleanups and optimizations:

  • locking has been much simplified
  • TCP and IPv6 decoder optimizations
  • unittest cleanups
  • AFL fuzzing options were added

Have a look at the full changelog: https://github.com/inliniac/suricata/blob/master/ChangeLog

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.1RC1.tar.gz

Special thanks

Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
AFL project, CoverityScan

Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
David Diallo, Torgeir Natvig, Steffen Ullrich

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

SuriCon 2.0

Join us in Washington, D.C. November 9-11 for the 2nd Suricata User Conference. http://suricon.net/

Training & Support

Need help installing, updating, validating and tuning Suricata? We have trainings coming up. September 12-16 in Paris, November 7 & 8 in Washington, D.C.: see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

About Suricata

Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Please help us test Suricata 3.0.1RC1

suri-400x400

We’re hoping for your feedback on a new release: Suricata 3.0.1RC1. We’ve fixed many issues in 3.0, including important stability issues and memory leaks. A final is expected within a week or so.

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-3.0.1RC1.tar.gz

New Features

– Feature #1535: Expose the certificate itself in TLS-lua
– Feature #1696: improve logged flow_id
– Feature #1700: enable “relro” and “now” in compile options for 3.0
– Feature #1734: gre: support transparent ethernet bridge decoding
– Feature #1740: Create counters for decode-events errors
– updated bundled libhtp to 0.5.19

Fixes

Many issues were fixed, including stability issues and many (potential) memory leaks.
Full list: https://redmine.openinfosecfoundation.org/versions/81

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:
FireEye, ANSSI, Emerging Threats / Proofpoint, Stamus Networks,
NorCert, Ntop, Lastline, AFL project, CoverityScan

Tom Decanio, Mats Klepsland, Alexander Gozman, Aleksey Katargin
Maurizio Abba, Alessandro Guido, David Diallo, Giuseppe Longo
Jon Zeolla, Andreas Moe, Nicolas Thill, Travis Green, bladeswords
Alfredo Cardigliano, Rob Mosher, Andre ten Bohmer

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://suricon.net

If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/

Suricata 3.0 Available!

suri-400x400We’re proud to announce Suricata 3.0. This is a major new release improving Suricata on many fronts.

Download

http://www.openinfosecfoundation.org/download/suricata-3.0.tar.gz

Features and Improvements

  • improved detection options, including multi-tenancy and xbits
  • performance and scalability much improved
  • much improved accuracy and robustness
  • Lua scripting capabilities expanded significantly
  • many output improvements, including much more JSON
  • NETMAP capture method support, especially interesting to FreeBSD users
  • SMTP inspection and file extraction

For a full list of features added, please see:
https://redmine.openinfosecfoundation.org/versions/80

Upgrading

Upgrades from 2.0 to 3.0 should be mostly seamless. Here are some notes:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_20_to_Suricata_30

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

FireEye, ProtectWise, ANSSI, Emerging Threats /
Proofpoint, Stamus Networks, Ntop, AFL project, CoverityScan

Aaron Campbell, Aleksey Katargin, Alessandro Guido,
Alexander Gozman, Alexandre Macabies, Alfredo Cardigliano,
Andreas Moe, Anoop Saldanha, Antti Tönkyrä, Bill Meeks,
Darien Huss, David Abarbanel, David Cannings, David Diallo,
David Maciejak, Duarte Silva, Eduardo Arada, Giuseppe Longo,
Greg Siemon, Hayder Sinan, Helmut Schaa, Jason Ish,
Jeff Barber, Ken Steele, lessyv, Mark Webb-Johnson,
Mats Klepsland, Matt Carothers, Michael Rash, Nick Jones,
Pierre Chifflier, Ray Ruvinskiy, Samiux A, Schnaffon,
Stephen Donnelly, sxhlinux, Tom DeCanio, Torgeir Natvig,
Travis Green, Zachary Rasmor

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

November 9-11 we’ll be in Washington, DC, for our 2nd Suricata User Conference: http://oisfevents.net

If you need help installing, updating, validating and tuning Suricata we have a training program. Please see https://suricata-ids.org/training/

For support options also see https://suricata-ids.org/support/