Thema: Network-Intrusion-Detection-System (NIDS) Software diverses

[SiLæncer]

Changelog

Bug #977: WARNING on empty rules file is fatal (should not be)
Bug #1184: pfring: cppcheck warnings
Bug #1321: Flow memuse bookkeeping error
Bug #1327: pcre pkt/flowvar capture broken for non-relative matches (master)
Bug #1332: cppcheck: ioctl
Bug #1336: modbus: CID 1257762: Logically dead code (DEADCODE)
Bug #1351: output-json: duplicate logging (2.1.x)
Bug #1354: coredumps on quitting on OpenBSD
Bug #1355: Bus error when reading pcap-file on OpenBSD
Bug #1363: Suricata does not compile on OS X/Clang due to redefinition of string functions (2.1.x)
Bug #1365: evasion issues (2.1.x)
Feature #1261: Request for Additional Lua Capabilities
Feature #1309: Lua support for Stats output
Feature #1310: Modbus parsing and matching
Feature #1317: Lua: Indicator for end of flow
Feature #1333: unix-socket: allow (easier) non-root usage
Optimization #1339: flow timeout optimization
Optimization #1339: flow timeout optimization
Optimization #1371: mpm optimization

[close]

http://suricata-ids.org/

[SiLæncer]

2.0.8

Whats new: >>

Changes

Bug #1450: tls parsing issue
Bug #1460: pcap parsing issue
Bug #1461: potential deadlock
Bug #1404: Alert-Debuglog not being rotated on SIGHUP
Bug #1420: inverted matching on incomplete session
Bug #1462: various issues in rule and yaml parsing

Security

The TLS/DER parsing issue has CVE-2015-0971 assigned to it.


2.1 Beta 4

Changelog

New Features

Feature #1448: xbits support
Feature #336: Add support for NETMAP to Suricata
Feature #885: smtp file_data support
Feature #1394: Improve TCP reuse support
Feature #1445: Suricata does not work on pfSense/FreeBSD interfaces using PPPoE
Feature #1447: Ability to reject ICMP traffic
Feature #1410: add alerts to EVE’s drop logs

Improvements

Optimization #1014: app layer reassembly fast-path
Optimization #1377: flow manager: reduce (try)locking
Optimization #1403: autofp packet pool performance problems
Optimization #1409: http pipeline support for stateful detection
Bug #1314: http-events performance issues

Bugs

Bug #1340: null ptr dereference in Suricata v2.1beta2
Bug #1352: file list is not cleaned up
Bug #1358: Gradual memory leak using reload (kill -USR2 $pid)
Bug #1366: Crash if default_packet_size is below 32 bytes
Bug #1378: stats api doesn’t call thread deinit funcs
Bug #1384: tcp midstream window issue (master)
Bug #1388: pcap-file hangs on systems w/o atomics support (master)
Bug #1392: http uri parsing issue (master)
Bug #1393: CentOS 5.11 build failures
Bug #1398: DCERPC traffic parsing issue (master)
Bug #1401: inverted matching on incomplete session
Bug #1402: When re-opening files on HUP (rotation) always use the append flag.
Bug #1417: no rules loaded – latest git – rev e250040
Bug #1425: dead lock in de_state vs flowints/flowvars
Bug #1426: Files prematurely truncated by detection engine even though force-md5 is enabled
Bug #1429: stream: last_ack update issue leading to stream gaps
Bug #1435: EVE-Log alert payload option loses data
Bug #1441: Local timestamps in json events
Bug #1446: Unit ID check in Modbus packet error
Bug #1449: smtp parsing issue
Bug #1451: Fix list-keywords regressions
Bug #1463: modbus parsing issue

[close]

http://suricata-ids.org/

[SiLæncer]

Features and Improvements

    improved detection options, including multi-tenancy and xbits
    performance and scalability much improved
    much improved accuracy and robustness
    Lua scripting capabilities expanded significantly
    many output improvements, including much more JSON
    NETMAP capture method support, especially interesting to FreeBSD users
    SMTP inspection and file extraction

For a full list of features added, please see:

 Full Changelog

Detection

Feature #885: smtp file_data support
Feature #707: ip reputation files - network range inclusion availability (cidr)
Feature #1448: xbits
Feature #1282: support for base64_decode keyword
Feature #1137: Support IP lists in threshold.config
Feature #1440: wildcard rule loading
Feature #1281: support content keyword length greater than 255
Feature #1408: multi tenancy for detection
Feature #1514: SSH softwareversion regex should allow colon

Outputs

Feature #1582: Redis output support
Feature #1228: stats.log in JSON format
Feature #1155: Log packet payloads in eve alerts
Feature #1208: JSON Output Enhancement - Include Payload(s)
Feature #1248: flow/connection logging
Feature #1258: json: include HTTP info with Alert output
Feature #383: stream data logging
Feature #893: feature, put more info in the "drop.log"
Feature #1123: JSON logs timestamp option
Feature #1154: Get the rule when packets are dropped
Feature #1116: ips packet stats in stats.log
Feature #1410: add alerts to EVE's drop logs
Feature #1586: Add flow memcap counter
Feature #1599: rule profiling: json output
Feature #1605: more descriptive err msg - getting MTU via ioctl
Feature #1635: unified2 output: disable by default
Feature #1498: color output
Feature #1499: json output for engine messages
Feature #1374: Write pre-aggregated counters for all threads
Feature #1454: JSON output prefix
Feature #1492: Add HUP coverage to output json-log

Packet Decoding & Protocol Parsing

Feature #899: MPLS over Ethernet support
Feature #1310: Modbus parsing and matching
Feature #1438: DNS Type nxdomain
Feature #1394: Improve TCP reuse support
Feature #1342: Support Cisco erspan traffic
Feature #1265: Replace response on Suricata dns decoder when dns error please
Feature #549: Extract file attachments from emails

Scripting

Feature #1263: Lua: Access to Stream Payloads
Feature #1264: Lua: access to TCP quad / Flow Tuple
Feature #1312: Lua output support
Feature #1261: Request for Additional Lua Capabilities
Feature #1309: Lua support for Stats output
Feature #1317: Lua: Indicator for end of flow
Feature #1502: Expose tls fields to lua
Feature #1568: TLS lua output support
Feature #1569: SSH lua support
Packet Capture & IPS

Feature #336: Add support for NETMAP to Suricata.
Feature #1445: Suricata does not work on pfSense/FreeBSD interfaces using PPPoE
Feature #1447: Ability to reject ICMP traffic

Misc

Feature #1333: unix-socket: allow (easier) non-root usage
Feature #1527: Add ability to compile as a Position-Independent Executable (PIE)

Zugehörige Tickets

Bug #1673: smtp: crash during mime parsing

[close]

Quelle & DL : http://suricata-ids.org/2016/01/27/suricata-3-0-available/

[SiLæncer]

Whats new:>>

fixes for multiple stability issues
many memory leak fixes
Hyperscan MPM support (experimental)

http://suricata-ids.org/

[SiLæncer]

Whats new:>>

fixed:

Bug #1589: Cannot run nfq in workers mode
Bug #1804: yaml: legacy detect-engine parsing custom values broken

http://suricata-ids.org/

[SiLæncer]

Changelog

Feature #1830: support ‘tag’ in eve log
Feature #1870: make logged flow_id more unique
Feature #1874: support Cisco Fabric Path / DCE
Feature #1885: eve: add option to log all dropped packets
Feature #1886: dns: output filtering
Bug #1849: ICMPv6 incorrect checksum alert if Ethernet FCS is present
Bug #1853: fix dce_stub_data buffer
Bug #1854: unified2: logging of tagged packets not working
Bug #1856: PCAP mode device not found
Bug #1858: Lots of TCP ‘duplicated option/DNS malformed request data’
after upgrading from 3.0.1 to 3.1.1
Bug #1878: dns: crash while logging sshfp records
Bug #1880: icmpv4 error packets can lead to missed detection in tcp/udp
Bug #1884: libhtp 0.5.22

[close]

http://suricata-ids.org/

[SiLæncer]

Changelog

Changes you can expect from this new release include:

Feature #1830: support ‘tag’ in eve log
Feature #1870: make logged flow_id more unique
Feature #1874: support Cisco Fabric Path / DCE
Feature #1885: eve: add option to log all dropped packets
Feature #1886: dns: output filtering
Bug #1849: ICMPv6 incorrect checksum alert if Ethernet FCS is present
Bug #1853: fix dce_stub_data buffer
Bug #1854: unified2: logging of tagged packets not working
Bug #1856: PCAP mode device not found
Bug #1858: Lots of TCP ‘duplicated option/DNS malformed request data’
after upgrading from 3.0.1 to 3.1.1
Bug #1878: dns: crash while logging sshfp records
Bug #1880: icmpv4 error packets can lead to missed detection in tcp/udp
Bug #1884: libhtp 0.5.22

[close]

http://suricata-ids.org/

[SiLæncer]

Changelog

Bug #2089: engine file logging race condition (3.2.x)
Bug #2173: openbsd: pcap with raw datalink not supported (3.2.x)
Bug #2178: asn1/der: stack overflow (3.2.x)
Bug #2179: Possible confusion or bypass within the stream engine with retransmits. (3.2.x)
Bug #2183: gcc 7.1.1 ‘format truncation’ compiler warnings (3.2.x)

[close]

http://suricata-ids.org/

[SiLæncer]

Changelog

Feature #744: Teredo configuration
Feature #1748: lua: expose tx in alert lua scripts
Bug #1855: alert number output
Bug #1888: noalert in a pass rule disables the rule
Bug #1957: PCRE lowercase enforcement in http_host buffer does not allow for upper case in hex-encoding
Bug #1958: Possible confusion or bypass within the stream engine with retransmits.
Bug #2110: isdataat: keyword memleak
Bug #2162: rust/nfs: reachable asserting rust panic
Bug #2175: rust/nfs: panic – 4.0.0-dev (rev 7c25a2d)
Bug #2176: gcc 7.1.1 ‘format truncation’ compiler warnings
Bug #2177: asn1/der: stack overflow

[close]

http://suricata-ids.org/

[SiLæncer]

Release Notes

We are thrilled to announce Suricata 4.0 is now available!

This is a major release, improving detection capabilities, more protocols, adding new output options, Rust support, and much more. Thanks to valuable feedback from the rule writing teams at Emerging Threats, Positive Technologies, and many others Suricata 4.0 includes many rule keywords for inspecting HTTP, SSH and other protocols. New features allow for greater context with alerts. Also, Suricata 4.0 is the first release in which implemented parts in the Rust language using the Nom parser framework have been incorporated. This work was inspired by presentations from SuriCon 2016.

[close]

Quelle & weitere Infos : https://oisf.net/2017/08/01/suricata-4-0-kicks-it-up-a-notch/

http://suricata-ids.org/

[SiLæncer]

Changelog

Feature #2114: Redis output: add RPUSH support
Feature #2152: Packet and Drop Counters for Napatech
Bug #2050: TLS rule mixes up server and client certificates
Bug #2064: Rules with dual classtype do not error
Bug #2074: detect msg: memory leak
Bug #2102: Rules with dual sid do not error
Bug #2103: Rules with dual rev do not error
Bug #2151: The documentation does not reflect current suricata.yaml regarding cpu-affinity
Bug #2194: rust/nfs: sigabrt/rust panic – 4.0.0-dev (rev fc22943)
Bug #2197: rust build with lua enabled fails on x86
Bug #2201: af_packet: suricata leaks memory with use-mmap enabled and incorrect BPF filter
Bug #2207: DNS UDP “Response” parsing recording an incorrect value
Bug #2208: mis-structured JSON stats output if interface name is shortened
Bug #2226: improve error message if stream memcaps too low
Bug #2228: enforcing specific number of threads with autofp does not seem to work
Bug #2244: detect state uses broken offset logic (4.0.x)

[close]

Quelle: https://suricata-ids.org/2017/10/18/suricata-4-0-1-available/

http://suricata-ids.org/

[SiLæncer]

Changelog

Feature #2245: decoder for ieee802.1AH traffic
Bug #798: stats.log in yaml config – append option – missing
Bug #891: detect-engine.profile does not err out in incorrect values – suricata.yaml
Bug #961: max pending packets variable parsing
Bug #1185: napatech: cppcheck warning
Bug #2215: Lost events writing to unix socket
Bug #2230: valgrind memcheck – 4.0.0-dev (rev 1180687)
Bug #2250: detect: mixing byte_extract and isdataat leads to FP & FN
Bug #2263: content matches disregarded when using dns_query on udp traffic
Bug #2274: ParseSizeString in util-misc.c: Null-pointer dereference
Bug #2275: ConfGetInt in conf.c: NULL-pointer dereference
Bug #2276: conf: NULL-pointer dereference in CoredumpLoadConfig
Bug #2293: rules: depth < content rules not rejected
Bug #2324: segfault in http_start (4.0.x)
Bug #2325: Suricata segfaults on ICMP and flowint check (4.0.x)

[close]

Quelle: https://suricata-ids.org/2017/12/06/suricata-4-0-3-available/

http://suricata-ids.org/

[SiLæncer]

Changelog

Security:

CVE-2018-6794 was requested for issue #2440

Changes:

Bug #2306: suricata 4 deadlocks during failed output log reopening
Bug #2361: rule reload hangup
Bug #2389: BUG_ON asserts in AppLayerIncFlowCounter (4.0.x)
Bug #2392: libhtp 0.5.26 (4.0.x)
Bug #2422: [4.0.3] af_packet: a leak that (possibly) breaks an inline channel
Bug #2438: various config parsing issues
Bug #2439: Fix timestamp offline when pcap timestamp is zero (4.0.x)
Bug #2440: stream engine bypass issue (4.0.x)
Bug #2441: der parser: bad input consumes cpu and memory (4.0.x)
Bug #2443: DNP3 memcpy buffer overflow (4.0.x)
Bug #2444: rust/dns: Core Dump with malformed traffic (4.0.x)
Bug #2445: http bodies / file_data: thread space creation writing out of bounds

[close]

http://suricata-ids.org/

[SiLæncer]

Changelog

Security:

CVE-2018-10242, CVE-2018-10244 (suricata)
CVE-2018-10243 (libhtp)

Changes:

Bug #2480: http eve log data source/dest flip (4.0.x)
Bug #2482: HTTP connect: difference in detection rates between 3.1 and 4.0.x
Bug #2531: yaml: ConfYamlHandleInclude memleak (4.0.x)
Bug #2532: memleak: when using app-layer event rules without rust
Bug #2533: Suricata gzip unpacker bypass (4.0.x)
Bug #2534: Suricata stops inspecting TCP stream if a TCP RST was met (4.0.x)
Bug #2535: Messages with SC_LOG_CONFIG level are logged to syslog with EMERG priority (4.0.x)
Bug #2537: libhtp 0.5.27 (4.0.x)
Bug #2540: getrandom prevents any suricata start commands on more later OS’s (4.0.x)
Bug #2544: ssh out of bounds read (4.0.x)
Bug #2545: enip out of bounds read (4.0.x)

[close]

http://suricata-ids.org/

[SiLæncer]

Release Notes

It’s summer, so an excellent time for some testing! Suricata 4.1 release candidate 1 is here to be tried out. The release brings a lot of new features.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.0-rc1.tar.gz

Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2, as well as improvements on Linux capture side via AF_PACKET XDP support and on Windows IPS side via WinDivert. The progress in Rust usage inside Suricata continues as most of the new protocols have been implemented in Rust.

We invite everyone to test this release and report your experiences to us.
Protocol updates

    SMBv1/2/3 parsing, logging, file extraction
    JA3 TLS client fingerprinting (Mats Klepsland)
    TFTP: basic logging (Pascal Delalande and Clément Galland)
    FTP: file extraction
    Kerberos parser and logger (Pierre Chifflier)
    IKEv2 parser and logger (Pierre Chifflier)
    DHCP parser and logger
    Flow tracking for ICMPv4
    Initial NFS4 support
    HTTP: handle sessions that only have a response, or start with a response
    HTTP Flash file decompression support (Giuseppe Longo)

Output and logging

    File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
    Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
    Eve: new more compact DNS record format (Giuseppe Longo)
    Pcap directory mode: process all pcaps in a directory (Danny Browning)
    Compressed PCAP logging (Max Fillinger)
    Expanded XFF support (Maurizio Abba)

Packet Capture

    AF_PACKET XDP and eBPF support for high speed packet capture
    Windows IPS: WinDivert support (Jacob Masen-Smith)

Misc

    Windows: MinGW is now supported
    Detect: transformation keyword support
    Bundled Suricata-Update

Major changes since 4.1beta1

    WinDivert support
    Kerberos parser and logger
    IKEv2 parser and logger
    DHCP parser and logger
    Flow tracking for ICMPv4
    Initial NFS4 support
    Compressed PCAP logging
    Expanded XFF support
    Decode GRE over IP (Paulo Pacheco)
    Multi-tenancy fixes
    SMB improvements for midstream pickup
    Update Suricata-Update to 1.0.0rc1

Security

CVE-2018-10242, CVE-2018-10244 (suricata)
CVE-2018-10243 (libhtp)

[close]

http://suricata-ids.org/