Thema: Network-Intrusion-Detection-System (NIDS) Software diverses

[SiLæncer]

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.

Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic.

http://www.kismetwireless.net/

[SiLæncer]

Kismet-2010-07-R1 released, at the usual spot. Re-architected and bug-fixed IPC subsystem, hidedata option to prevent any processing of data frames, general internal bugfixes and improvements, ruby API and examples, zero-priv drone-only options.

http://www.kismetwireless.net/

[SiLæncer]

Mon Apr 08 2013 - Kismet-2013-03-R1b released. Somehow the latest configure script didn't get into the R1 release so it blew up on libnl1 detection; No code changes, no package changes.

Wed Mar 27 2013 - Kismet-2013-03-R1 released! While this does not have major new features (phy-neutral is still in development) it includes a long list of bugfixes, including better ncurses color support, radiotap fixes, better interface control when setting channels, memory leak fixes, better packaging for distros, and various other quirks. At the usual download page

Thu Dec 06 2012 - Busy busy busy. Two new Android utilies now up - rfmon with a USB NIC, capturing to pcap, no root required, in Android PCAP Capture. To go with that, an easy way to upload pcap files from Android to CloudShark, a web-based implementation of Wireshark: CloudShark Uploader

Mon Jul 23 2012 - While phy-neutral is finishing up, added Ubuntu 12 packages for Kismet 2011-03

Thu Jul 05 2012 - Kismet moving to Git source control. Subversion is moved to code-old/svn (details on the download page) and the old SVN repository is disabled. Git checkouts at https://www.kismetwireless.net/kismet.git

https://kismetwireless.net/

[SiLæncer]

Network-Intrusion-Detection-System (NIDS), das den Netzwerkverkehr überwacht und versucht, verdächtige Aktivitäten, Pakete und Verbindungen zu erkennen; wird eine solche erkannt, bietet das Programm dem Benutzer weitere Optionen wie Blockieren, Umgehen oder Reinigen an.

Lizenz: Open Source

Whats new: >>

Suricata 2.0 Beta 1:

New features:

· Luajit flow vars and flow ints support
· DNS parser, logger and keyword support
· deflate support for HTTP response bodies

Improvements:

· update to libhtp 0.5
· improved gzip support for HTTP response bodies
· redesigned transaction handling, improving both accuracy and performance
· redesigned CUDA support
· Be sure to always apply verdict to NFQ packet
· stream engine: SACK allocs should adhere to memcap
· stream: deal with multiple different SYN/ACK’s better
· stream: Randomize stream chunk size for raw stream inspection
· Introduce per stream thread ssn pool
· pass” IP-only rules should bypass detection engine after matching
· Generate error if bpf is used in IPS mode
· Add support for batch verdicts in NFQ
· Update Doxygen config
· Improve libnss detection

Fixes:

· Fix a FP on rules looking for port 0 and fragments
· OS X unix socket build fixed
· bytetest, bytejump and byteextract negative offset failure
· Fix fast.log formatting issues
· Invalidate negative depth
· Fixed accuracy issues with relative pcre matching
· Fix deadlock in flowvar capture code
· Improved accuracy of file_data keyword
· Fix af-packet ips mode rule processing bug
· stream: fix injecting pseudo packet too soon leading to FP

Suricata 1.4.5:

· ipv6 extension header parsing issue causing Suricata to hang
· icmp_seq and icmp_id keyword with icmpv6 traffic FP & FN

http://suricata-ids.org/

[SiLæncer]

Whats new: >>

Notable changes:

unified JSON output for almost all log types (eve-log). Written by Tom Decanio of nPulse Technologies
QinQ VLAN handling
Alerting over PCIe bus (Tilera only), by Ken Steel of Tilera
Add –set commandline option to override any YAML option, by Jason Ish of Emulex
Various scalability improvements, clean ups and fixes by Ken Steel of Tilera
ICMPv6 handling improvements by Jason Ish of Emulex
memcaps for DNS and HTTP handling were added
Several fixes and improvements of AF_PACKET and PF_RING
NSM runmode, where detection engine is disabled. Development supported by nPulse Technologies

Fixes:

App layer registration cleanup – Support specifying same alproto names in rules for different ip protocols
TLS JSON output
case insensitive fileext match
JSON output for alerts
QinQ tag flow support
clean up output
Override conf parameters
united output
Suricata should compile with -Werror
memcap for http inside suricata
dns memcap
stream: configurable segment pools
Add a decoder.QinQ stats in stats.log
Detect icmpv6 on ipv4
http events alert multiple times
VLAN decoder stats with AF Packet get written to the first thread only – stats.log
memory leak in http buffers at shutdown
format string issues with size_t + qa not catching them
Segmentation fault in 2.0beta2: Custom HTTP log segmentation fault
radix tree lookups are not thread safe
CUDA 5.5 doesn’t compile with 2.0 beta 2
Err loading rules with variables that contain negated content.
segfault – 2.0dev (rev 6e389a1)
100% CPU utilization with suricata 2.0 beta2+
af-packet vlan handling is broken
stats.log not incrementing decoder.ipv4/6 stats when reading in QinQ packets
vlan tagged fragmentation
Git compile fails on Ubuntu Lucid
flow timeout causes decoders to run on pseudo packets

http://suricata-ids.org/

[SiLæncer]

Whats new: >>

Notable changes

eve-log is now enabled by default
SSH parser is re-enabled
SSH logging was added to ‘eve-log’
bundled libhtp was updated to 0.5.10

Fixes:

Add VLAN tag ID to all outputs
Add QinQ tag ID to all outputs
Introduce SSH log
app-layer protocols http memcap – info in verbose mode (-v)
restore SSH protocol detection and parser
fp: rule with ports matching on portless proto
default config generates rule warnings and errors
1.4.6: conf_filename not checked before use
SMTP: move depends on uninitialised value
FTP: Memory Leak
TLS-Handshake: Uninitialized value
HTTP: Memory Leak
suricata.yaml config parameter – segfault
PF_RING vlan handling
Can have the same Pattern ID (pid) for the same pattern but different case flags
capture stats at exit incorrect
tls-events.rules file missing
nfq: exit stats not working
segv with pfring/afpacket and eve-log enabled
crash in eve-log
ipfw build broken

http://suricata-ids.org/

[SiLæncer]

Whats new: >>

Fixes:

Bug #1127: logstash & suricata parsing issue
Bug #1128: Segmentation fault – live rule reload
Bug #1129: pfring cluster & ring initialization
Bug #1130: af-packet flow balancing problems
Bug #1131: eve-log: missing user agent reported inconsistently
Bug #1133: eve-log: http depends on regular http log
Bug #1135: 2.0rc2 release doesn’t set optimization flag on GCC
Bug #1138: alert fastlog drop info missing

http://suricata-ids.org/

[SiLæncer]

Whats new: >>

Notable changes:

OpenSSL Heartbleed detection. Thanks to Pierre Chifflier and Will Metcalf
Fixed Unix Socket runmode
Fixed AF_PACKET IPS support

All closed tickets:

Feature #1157: Always create pid file if –pidfile command line option is provided
Feature #1173: tls: OpenSSL heartbleed detection
Bug #978: clean up app layer parser thread local storage
Bug #1064: Lack of Thread Deinitialization For Decoder Modules
Bug #1101: Segmentation in AppLayerParserGetTxCnt
Bug #1136: negated app-layer-protocol FP on multi-TX flows
Bug #1141: dns response parsing issue
Bug #1142: dns tcp toclient protocol detection
Bug #1143: tls protocol detection in case of tls-alert
Bug #1144: icmpv6: unknown type events for MLD_* types
Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
Bug #1146: tls: event on ‘new session ticket’ in handshake
Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
Bug #1161: eve: src and dst mixed up in some cases
Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
Bug #1163: HTP Segfault
Bug #1165: af_packet – one thread consistently not working
Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
Bug #1176: AF_PACKET IPS mode is broken in 2.0
Bug #1177: eve log do not show action ‘dropped’ just ‘allowed’
Bug #1180: Possible problem in stream tracking

http://suricata-ids.org/

[SiLæncer]

Whats new: >>

Notable changes:

OpenSSL Heartbleed detection. Thanks to Pierre Chifflier and Will Metcalf
Fixed Unix Socket runmode
Fixed AF_PACKET IPS support

All closed tickets:

Feature #1157: Always create pid file if –pidfile command line option is provided
Feature #1173: tls: OpenSSL heartbleed detection
Bug #978: clean up app layer parser thread local storage
Bug #1064: Lack of Thread Deinitialization For Decoder Modules
Bug #1101: Segmentation in AppLayerParserGetTxCnt
Bug #1136: negated app-layer-protocol FP on multi-TX flows
Bug #1141: dns response parsing issue
Bug #1142: dns tcp toclient protocol detection
Bug #1143: tls protocol detection in case of tls-alert
Bug #1144: icmpv6: unknown type events for MLD_* types
Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
Bug #1146: tls: event on ‘new session ticket’ in handshake
Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
Bug #1161: eve: src and dst mixed up in some cases
Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
Bug #1163: HTP Segfault
Bug #1165: af_packet – one thread consistently not working
Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
Bug #1176: AF_PACKET IPS mode is broken in 2.0
Bug #1177: eve log do not show action ‘dropped’ just ‘allowed’
Bug #1180: Possible problem in stream tracking

http://suricata-ids.org/

[SiLæncer]

Whats new: >>

Notable changes:

IP defrag issue leading to evasion. Bug discovered by Antonios Atlasis working with ERNW GmbH
Support for NFLOG as a capture method. Nice work by Giuseppe Longo
DNS TXT parsing and logging. Funded by Emerging Threats
Log rotation through SIGHUP. Created by Jason Ish of Endace/Emulex

All closed tickets:

Feature #781: IDS using NFLOG iptables target
Feature #1158: Parser DNS TXT data parsing and logging
Feature #1197: liblua support
Feature #1200: sighup for log rotation
Bug #1098: http_raw_uri with relative pcre parsing issue
Bug #1175: unix socket: valgrind warning
Bug #1189: abort() in 2.0dev (rev 6fbb955) with pf_ring 5.6.3
Bug #1195: nflog: cppcheck reports memleaks
Bug #1206: ZC pf_ring not working with Suricata 2.0.1 (or latest git)
Bug #1211: defrag issue
Bug #1212: core dump (after a while) when app-layer.protocols.http.enabled = yes
Bug #1214: Global Thresholds (sig_id 0, gid_id 0) not applied correctly if a signature has event vars
Bug #1217: Segfault in unix-manager.c line 529 when using –unix-socket and sending pcap files to be analized via socket

http://suricata-ids.org/

[SiLæncer]

Whats new: >>

Changes

Bug #1236: fix potential crash in http parsing
Bug #1244: ipv6 defrag issue
Bug #1238: Possible evasion in stream-tcp-reassemble.c
Bug #1221: lowercase conversion table missing last value
Support #1207: Cannot compile on CentOS 5 x64 with –enable-profiling
Updated bundled libhtp to 0.5.15

http://suricata-ids.org/

[SiLæncer]

Whats new: >>

2.0.4:

Bug #1276: ipv6 defrag issue with routing headers
Bug #1278: ssh banner parser issue
Bug #1254: sig parsing crash on malformed rev keyword
Bug #1267: issue with ipv6 logging
Bug #1273: Lua – http.request_line not working
Bug #1284: AF_PACKET IPS mode not logging drops and stream inline issue


2.1 Beta 1:

New Features:

Feature #1248: flow/connection logging
Feature #1155 & #1208: Log packet payloads in eve alerts

Improvements:

Optimization #1039: Packetpool should be a stack
Optimization #1241: pcap recording: record per thread
Feature #1258: json: include HTTP info with Alert output
AC matcher start up optimizations
BM matcher runtime optimizations

Removals:

pcapinfo’ output was removed. Suriwire now works with the JSON ‘eve’ output

http://suricata-ids.org/

[SiLæncer]

Whats new: >>

Bug #1190: http_header keyword not matching when SYN|ACK and ACK missing
Bug #1246: EVE output Unix domain socket not working
Bug #1272: Segfault in libhtp 0.5.15
Bug #1298: Filestore keyword parsing issue (2.0.x)
Bug #1303: improve stream 'bad window update' detection
Bug #1304: improve stream handling of back SACK values
Bug #1305: fix tcp session reuse for ssh/ssl sessions
Bug #1307: byte_extract, within combination not working (2.0.x)
Bug #1326: pcre pkt/flowvar capture broken for non-relative matches
Bug #1329: Invalid rule being processed and loaded.
Bug #1330: Flow memuse bookkeeping error (2.0.x)

http://suricata-ids.org/

[SiLæncer]

Changelog

New Features:

Feature #549: Extract file attachments from emails
Feature #1312: Lua output support
Feature #899: MPLS over Ethernet support
Feature #383: Stream logging

Improvements:

Feature #1263: Lua: Access to Stream Payloads
Feature #1264: Lua: access to TCP quad / Flow Tuple
Feature #707: ip reputation files – network range inclusion availability (cidr)

Bugs:

Bug #1048: PF_RING/DNA config – suricata.yaml
Bug #1230: byte_extract, within combination not working
Bug #1257: Flow switch is missing from the eve-log section in suricata.yaml
Bug #1259: AF_PACKET IPS is broken in 2.1beta1
Bug #1260: flow logging at shutdown broken
Bug #1279: BUG: NULL pointer dereference when suricata was debug mode.
Bug #1280: BUG: IPv6 address vars issue
Bug #1285: Lua – http.request_line not working (2.1)
Bug #1287: Lua Output has dependency on eve-log:http
Bug #1288: Filestore keyword in wrong place will cause entire rule not to trigger
Bug #1294: Configure doesn’t use –with-libpcap-libraries when testing PF_RING library
Bug #1301: suricata yaml – PF_RING load balance per hash option
Bug #1308: http_header keyword not matching when SYN|ACK and ACK missing (master)
Bug #1311: EVE output Unix domain socket not working (2.1)

[close]

http://suricata-ids.org/

[SiLæncer]

Whats new: >>

Bug #1364: evasion issues
Bug #1337: output-json: duplicate logging
Bug #1325: tls detection leads to tcp stream reassembly sequence gaps (IPS)
Bug #1192: Suricata does not compile on OS X/Clang due to redefinition of string functions
Bug #1183: pcap: cppcheck warning

http://suricata-ids.org/