Thema: Network-Intrusion-Detection-System (NIDS) Software diverses

[SiLæncer]

Release Notes

After a longer than intended release development cycle, the OISF development team is proud to present Suricata 4.1.

Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2. All of them have been implemented in Rust to ensure their introduction will not be compromising to the security and the stability of the complete system.

Support for tracking and logging TLS 1.3 has been added, including JA3 support.

On performance side, one of the main improvements is the availability of capture bypass for AF_PACKET implemented on top of the new eXpress Data Path (XDP) capability of Linux kernel. Windows users will benefit from the 4.1 release with a new IPS mode based on WinDivert.

All new protocols require Rust so Suricata 4.1 is not really 4.1 if you don’t have Rust. This is why the build system is now enabling Rust by default if it is available on the build machine.

This is the first release where Suricata-Update 1.0, the new Suricata rule updater, is bundled.
Protocol updates

    SMBv1/2/3 parsing, logging, file extraction
    TLS 1.3 parsing and logging (Mats Klepsland)
    JA3 TLS client fingerprinting (Mats Klepsland)
    TFTP: basic logging (Pascal Delalande and Clément Galland)
    FTP: file extraction
    Kerberos parser and logger (Pierre Chifflier)
    IKEv2 parser and logger (Pierre Chifflier)
    DHCP parser and logger
    Flow tracking for ICMPv4
    Initial NFS4 support
    HTTP: handle sessions that only have a response, or start with a response
    HTTP Flash file decompression support (Giuseppe Longo)

Output and logging

    File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
    Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
    Eve: new more compact DNS record format (Giuseppe Longo)
    Pcap directory mode: process all pcaps in a directory (Danny Browning)
    Compressed PCAP logging (Max Fillinger)
    Expanded XFF support (Maurizio Abba)
    Community Flow Id support (common ID between Suricata and Bro/Zeek)

Packet Capture

    AF_PACKET XDP and eBPF support for high speed packet capture
    Windows IPS: WinDivert support (Jacob Masen-Smith)
    PF_RING: usability improvements

Misc

    Windows: MinGW is now supported
    Detect: transformation keyword support
    Bundled Suricata-Update
    Per device multi-tenancy

Minor Changes since 4.1rc2

    Coverity fixes and annotations
    Update Suricata-Update to 1.0.0

Security

    SMTP crash issue was fixed: CVE-2018-18956
    Robustness of defrag against FragmentSmack was improved
    Robustness of TCP reassembly against SegmentSmack was improved

[close]

Quelle & DL : https://suricata-ids.org/2018/11/06/suricata-4-1-released/

[SiLæncer]

Release Notes

Much sooner than planned we are releasing 4.1.2. The 4.1.1 process didn’t go as planned. First the tarball was missing the vendored Rust crates. Then we found that Suricata-Update didn’t properly function on CentOS 7, Ubunut 14.04 and other slightly older distros. Then last minute we found yet another Suricata-Update bug.

So despite it being so close to the holidays for many, we decided to push 4.1.2 out already. Apologies for the inconvenience this may cause.

Other than the issues mention above, we did also fix some additional issues. SMB logging accuracy was improved, DNS detection and logging accuracy was improved and some documentation updates are included as well.

After the holidays are over we’re going to review our QA for both Suricata and Suricata-Update, so we can avoid issue like this in the future.

Changes

    Feature #1863: smtp: improve pipelining support
    Feature #2748: bundle libhtp 0.5.29
    Feature #2749: bundle suricata-update 1.0.3
    Bug #2682: python-yaml Not Listed As Ubuntu Prerequisite
    Bug #2736: DNS Golden Transaction ID – detection bypass
    Bug #2745: Invalid detect-engine config could lead to segfault
    Bug #2752: smb: logs for IOCTL and DCERPC have tree_id value of 0

[close]

Quelle & DL : https://suricata-ids.org/2018/12/21/suricata-4-1-2-released/

[SiLæncer]

Release Notes

We’re pleased to announce Suricata 4.1.3. This release fixes a number of issues found in the 4.1-series.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-4.1.3.tar.gz
Changes

    Bug #2225: when stats info dumping in redis,the decoder.ipv4.trunc_pkt can’t output.In the same time, in the stats.log this can output
    Bug #2362: rule reload with workers mode and NFQUEUE not working stable
    Bug #2761: Include ebpf files in distributed sources
    Bug #2762: SSLv3 – AddressSanitizer heap-buffer-overflow
    Bug #2770: TCP FIN/ACK, RST/ACK in HTTP – detection bypass
    Bug #2788: afpacket doesn’t wait for all capture threads to start
    Bug #2805: dns v1/2 with rust results in less app layer data available in the alert record (for dns related alerts/rules) (4.1.x)
    Bug #2811: netmap/afpacket IPS: stream.inline: auto broken
    Bug #2823: configure.ac: broken –{enable,disable}-xxx options (4.1.x)
    Bug #2842: IPS mode crash under load
    Bug #2855: Suricata does not bridge host <-> hw rings (Affects FreeBSD 11-STABLE, FreeBSD 12 and FreeBSD 13-CURRENT)
    Bug #2862: pcre related FP in HTTP inspection (4.1.x)
    Bug #2865: Suricata rule sid:2224005 SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) not works (4.1.x)
    Feature #2774: pcap multi dev support for Windows

[close]

Quelle & DL : https://suricata-ids.org/2019/03/07/suricata-4-1-3-released/

[SiLæncer]

Changelog

We’re pleased to announce Suricata 4.1.4. This release fixes a number of issues found in the 4.1 branch.

Changes

    Bug #2870: pcap logging with lz4 coverity warning
    Bug #2883: ssh: heap buffer overflow
    Bug #2884: mpls: heapbuffer overflow in file decode-mpls.c
    Bug #2887: decode-ethernet: heapbuffer overflow in file decode-ethernet.c
    Bug #2888: 4.1.3 core in HCBDCreateSpace
    Bug #2894: smb 1 create andx request does not parse the filename correctly
    Bug #2902: rust/dhcp: panic in dhcp parser
    Bug #2903: mpls: cast of misaligned data leads to undefined behavior
    Bug #2904: rust/ftp: panic in ftp parser
    Bug #2943: rust/nfs: integer underflow
    This release includes Suricata-Update 1.0.5

[close]

Quelle & DL : https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/

[SiLæncer]

Release Notes

The OISF’s Suricata development team is proud to announce Suricata 5.0.0. This release brings many new features and improvements.
RDP, SNMP, FTP and SIP

Three new protocol parsers and loggers, all community contributions. Zach Kelly created a Rust RDP parser, while Giuseppe Longo created SIP support. Rust master Pierre Chifflier contributed SNMP support. Since RDP and SIP were merged late in our development cycle they are disabled by default in the configuration. For FTP we have added an EVE logging facility.
JA3S

After contributing JA3 support in Suricata 4.1, Mats Klepsland has been working on JA3S support. JA3S is now available to the rule language and in the TLS logging output.
Datasets

Still experimental at this time, the initial work to support datasets is part of this release. It allows matching on large amounts of data. It is controlled from the rule language and will work with any ‘sticky buffer’.

See documentation at https://suricata.readthedocs.io/en/suricata-5.0.0/rules/datasets.html

We’ve already heard of people using this with millions of IOCs.
Documentation

With the help of many community members we’ve been improving the user documentation. Please see: https://suricata.readthedocs.io/en/suricata-5.0.0/
HTTP evader

We’ve been working hard to cover the final set of HTTP evader cases. This work has mostly gone into the bundled libhtp 0.5.31.
Rust

The most visible is that our Rust support is no longer optional. We’re convinced that Rust is a perfect match for Suricata, and we plan to increase its footprint in our code base steadily. By making it mandatory we’re able to remove parallel implementations and focus fully on making the Rust code better.
Protocol Detection

The protocol detection engine has been extended to provide better accuracy as well as support for dealing with asynchronous flows. These async flows are sometimes picked up in the wrong direction and the protocol detection engine can now reverse them.
Decoder Anomaly records in EVE

A new log record type has been added: ‘anomaly’. This logs the stream and decoder events that are set by the packet decoders. This is inspired by Zeeks (Bro) ‘weird’ log.
EVE improvements

VLAN and capture interface is now part of many more EVE records, even if they are flow records or records based on flow time out.

An option to log all HTTP headers to the EVE http records has been added.
Packet Capture

Eric Leblond has been working hard to getting hardware offload support working for eBPF. On Netronome cards the eBPF based flow bypass can now be offloaded to the NIC. As eBPF is becoming a standard in the Linux space, we are hoping to see other hardware offload soon as well.

Netmap support has been rewritten so the more advanced features of netmap, such as vale switches, can be used now.

Napatech usability has been improved.
Rule language: Sticky Buffers

As discussed at the Suricon 2018 brainstorm session, a new rule keyword scheme is being introduced. It takes the existing ‘sticky buffer’ approach with new keyword names to avoid confusion. The new scheme is <proto>.<buffer>, so for example ‘http.uri’ for the URI inspection.

A number of HTTP keywords have been added.

Unified Lua inspection mixed with the sticky buffers has also been implemented.
Python 3

With Python 2’s EOL approaching, we’ve made sure that all Suricata’s python code is Python 3 compliant.
Removals

Following our deprecation policy, we have removed the following parts: the plain text dns.log, the old files-json.log and support for the Tilera architecture.

https://suricata-ids.org/about/deprecation-policy/

[close]

https://suricata-ids.org/

[SiLæncer]

Release Notes

We’re pleased to announce Suricata 5.0.1. This release fixes a number of issues found in the 5.0 branch. There are still a number of open issues that we are working on. See our 5.0.2 target here: https://redmine.openinfosecfoundation.org/versions/142

This release fixes a number of IPv4 and TCP evasion issues reported by Nicolas Adba.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-5.0.1.tar.gz
Changes

    Bug #1871: intermittent abort()s at shutdown and in unix-socket
    Bug #2810: enabling add request/response http headers in master
    Bug #3047: byte_extract does not work in some situations
    Bug #3073: AC_CHECK_FILE on cross compile
    Bug #3103: –engine-analysis warning for flow on an icmp request rule
    Bug #3120: nfq_handle_packet error -1 Resource temporarily unavailable warnings
    Bug #3237: http_accept not treated as sticky buffer by –engine-analysis
    Bug #3254: tcp: empty SACK option leads to decoder event
    Bug #3263: nfq: invalid number of bytes reported
    Bug #3264: EVE DNS Warning about defaulting to v2 as version is not set.
    Bug #3266: fast-log: icmp type prints wrong value
    Bug #3267: Support for tcp.hdr Behavior
    Bug #3275: address parsing: memory leak in error path
    Bug #3277: segfault when test a nfs pcap file
    Bug #3281: Impossible to cross-compile due to AC_CHECK_FILE
    Bug #3284: hash function for string in dataset is not correct
    Bug #3286: TCP evasion technique by faking a closed TCP session
    Bug #3324: TCP evasion technique by overlapping a TCP segment with a fake packet
    Bug #3328: bad ip option evasion
    Bug #3340: DNS: DNS over TCP transactions logged with wrong direction.
    Bug #3341: tcp.hdr content matches don’t work as expected
    Bug #3345: App-Layer: Not all parsers register TX detect flags that should
    Bug #3346: BPF filter on command line not honored for pcap file
    Bug #3362: cross compiling not affecting rust component of surrcata
    Bug #3376: http: pipelining tx id handling broken
    Bug #3386: Suricata is unable to get MTU from NIC after 4.1.0
    Bug #3389: EXTERNAL_NET no longer working in 5.0 as expected
    Bug #3390: Eve log does not generate pcap_filename when Interacting via unix socket in pcap processing mode
    Bug #3397: smtp: file tracking issues when more than one attachment in a tx
    Bug #3398: smtp: ‘raw-message’ option file tracking issues with multi-tx
    Bug #3399: smb: post-GAP some transactions never close
    Bug #3401: smb1: ‘event only’ transactions for bad requests never close
    Bug #3411: detect/asn1: crashes on packets smaller than offset setting
    Task #3364: configure: Rust 1.37+ has cargo-vendor support bundled into cargo.
    Documentation #2885: update documentation to indicate -i can be used multiple times
    Bundle Suricata-Update 1.1.1
    Bundle Libhtp 0.5.32

[close]

https://suricata-ids.org/

[SiLæncer]

Release Notes

We’re pleased to announce Suricata 5.0.2. This release fixes a number of issues found in the 5.0 branch.

Get the release here: https://www.openinfosecfoundation.org/download/suricata-5.0.2.tar.gz

Changes

    Bug #2993: Suricata 5.0.0beta1 memory allocation of 4294966034 bytes failed
    Bug #3380: Segfault when using multi-detect
    Bug #3400: smb: post-GAP file tx handling
    Bug #3424: nfs: post-GAP some transactions never close
    Bug #3425: nfs: post-GAP file tx handling
    Bug #3433: coverity: CID 1456679: Memory – corruptions (NEGATIVE_RETURNS)
    Bug #3434: coverity: CID 1456680: Incorrect expression (IDENTICAL_BRANCHES)
    Bug #3469: gcc10: compilation failure unless -fcommon is supplied (5.0.x)
    Bug #3473: Dropping privileges does not work with NFLOG (5.0.x)
    Documentation #3423: readthedocs shows title of documentation as “Suricata unknown documentation”

[close]

https://suricata-ids.org/

[SiLæncer]

Changelog

    Feature #3481: GRE ERSPAN Type 1 Support
    Feature #3613: Teredo port configuration
    Feature #3673: datasets: add ‘dataset-remove’ unix command
    Bug #3240: Dataset hash-size or prealloc invalid value logging
    Bug #3241: Dataset reputation invalid value logging
    Bug #3342: Suricata 5.0 crashes while parsing SMB data
    Bug #3450: signature with sticky buffer with subsequent pcre check in a different buffer loads but will never match
    Bug #3491: Backport 5 BUG_ON(strcasecmp(str, “any”) in DetectAddressParseString
    Bug #3507: rule parsing: memory leaks
    Bug #3526: 5.0.x Kerberos vulnerable to TCP splitting evasion
    Bug #3534: Skip over ERF_TYPE_META records
    Bug #3552: file logging: complete files sometimes marked ‘TRUNCATED’
    Bug #3571: rust: smb compile warnings
    Bug #3573: TCP Fast Open – Bypass of stateless alerts
    Bug #3574: Behavior for tcp fastopen
    Bug #3576: Segfault when facing malformed SNMP rules
    Bug #3577: SIP: Input not parsed when header values contain trailing spaces
    Bug #3580: Faulty signature with two threshold keywords does not generate an error and never match
    Bug #3582: random failures on sip and http-evader suricata-verify tests
    Bug #3585: htp: asan issue
    Bug #3592: Segfault on SMTP TLS
    Bug #3598: rules: memory leaks in pktvar keyword
    Bug #3600: rules: bad address block leads to stack exhaustion
    Bug #3602: rules: crash on ‘internal’-only keywords
    Bug #3604: rules: missing ‘consumption’ of transforms before pkt_data would lead to crash
    Bug #3606: rules: minor memory leak involving pcre_get_substring
    Bug #3609: ssl/tls: ASAN issue in SSLv3ParseHandshakeType
    Bug #3610: defrag: asan issue
    Bug #3612: rules/bsize: memory issue during parsing
    Bug #3614: build-info and configure wrongly display libnss status
    Bug #3644: Invalid memory read on malformed rule with Lua script
    Bug #3646: rules: memory leaks on failed rules
    Bug #3649: CIDR Parsing Issue
    Bug #3651: FTP response buffering against TCP stream
    Bug #3653: Recursion stack-overflow in parsing YAML configuration
    Bug #3660: Multiple DetectEngineReload and bad insertion into linked list lead to buffer overflow
    Bug #3665: FTP: Incorrect ftp_memuse calculation.
    Bug #3667: Signature with an IP range creates one IPOnlyCIDRItem by signe IP address
    Bug #3669: Rules reload with Napatech can hang Suricata UNIX manager process
    Bug #3672: coverity: data directory handling issues
    Bug #3674: Protocol detection evasion by packet splitting
    Optimization #3406: filestore rules are loaded without warning when filestore is not enabled
    Task #3478: libhtp 0.5.33
    Task #3514: SMTP should place restraints on variable length items (e.g., filenames)
    Documentation #3543: doc: add ipv4.hdr and ipv6.hdr
    Bundled libhtp 0.5.33
    Bundled Suricata-Update 1.1.2

[close]

https://suricata-ids.org/

[SiLæncer]

Changelog

initial HTTP/2 support
DCERPC logging
much improved EVE logging performance
RFB and MQTT protocol support, including detection and logging
HASSH support
conditional logging

[close]

https://suricata-ids.org/

[SiLæncer]

Changelog

    http2: support file inspection API #4121

    fixed:

    Bug #1275: ET Rule 2003927 not matchin in suricata Actions
    Bug #3467: Alert metadata not present in EVE output when using Socket Control Pcap Processing Mode Actions
    Bug #3616: strip_whitespace causes FN Actions
    Bug #3726: Segmentation fault on rule reload when using libmagic Actions
    Bug #3856: dcerpc: last response packet not logged Actions
    Bug #3924: asan leak htp_connp_create Actions
    Bug #3925: dcerpc: crash in eve logging Actions
    Bug #3930: Out of memory from THashInitConfig called by DetectDatasetSetup Actions
    Bug #3994: SIGABRT TCPProtoDetectCheckBailConditions Actions
    Bug #4018: Napatech: Double release of packet possible in certain error cases. Actions
    Bug #4069: dcerpc: fix UDP transaction handling, free_tx, etc Actions
    Bug #4071: Null dereference in ipv4hdr GetData Actions
    Bug #4072: ssl: Integer underflow in SSL parser Actions
    Bug #4073: Protocol detection evasion by packet splitting on enip/SMB Actions
    Bug #4074: Timeout while loading many rules with keyword ssl_version Actions
    Bug #4076: http2: Memory leak when parsing signature with filestore Actions
    Bug #4085: Assertion from AdjustToAcked Actions
    Bug #4086: dns: memory leak in v1 dns eve logging Actions
    Bug #4090: icmpv4: header handling issue(s) Actions
    Bug #4091: byte_math: Offset is a signed value Actions
    Bug #4094: AddressSanitizer: dynamic-stack-buffer-overflow (util-crypt) Actions
    Bug #4100: ftp: Quadratic complexity in FTPGetOldestTx may lead to DOS Actions
    Bug #4109: mac address logging crash Actions
    Bug #4110: http: LibHTP wrong protocol with content duplication Actions
    Bug #4111: dnp3: DOS in long loop of zero sized objects Actions
    Bug #4120: http2: null ptr deref in http2 alert metadata Actions
    Bug #4124: dcerpc: UDP request response pair match is incorrect Actions
    Bug #4155: dnp3: memory leak when parsing objects with bytearrays Actions
    Bug #4156: dnp3: signed integer overflow Actions
    Bug #4158: PacketCopyData sets packet length even on failure Actions
    Bug #4173: dnp3: SV tests fail on big endian Actions
    Bug #4177: Rustc nightly warning getting the inner pointer of a temporary `CString` Actions
    Feature #2689: http: Normalized HTTP client body buffer Actions
    Feature #4121: http2: support file inspection API Actions
    Optimization #4114: Optmize Rust logging macros: SCLogInfo, SCLogDebug and friends Actions
    Task #4137: deprecate: eve.dns v1 record support Actions
    Task #4180: libhtp 0.5.36

[close]

https://suricata-ids.org/

[SiLæncer]

Changelog

Security #4420: Heap-use-after-free READ 8 · JsonDNP3LoggerToClient
Security #4455: Buffer overread in SMTP SMTPParseCommandBDAT
Security #4458: Rust panic in suricata::dcerpc::detect::handle_input_data (buffer overread)
Security #4483: heap-buffer-overflow WRITE in InspectionBufferSetup with use of InspectionBufferGetMulti
Security #4512: Evasion possibility on wrong/unexpected ACK value in crafted SYN packets
Feature #4489: decode: add VNTAG decoder (6.0.x)
Feature #4501: http2: body compression handling (6.0.x)
Bug #4405: 6.0.x: eve/mqtt: mqtt logging crashes when eve is multithreaded
Bug #4411: eve.drop: alerts option logs lowest priority alert
Bug #4413: segv in ApplyToU8Hash
Bug #4415: threshold: slow startup on threshold.config with many addresses in suppression
Bug #4416: apparent 1000 character limit in threshold.conf IP lists
Bug #4417: Panic in Rust HTTP2 dynamic headers table eviction
Bug #4419: detect: "drop" on protocol detect only rule doesn't drop flow
Bug #4423: Applayer Mismatch protocol both directions for kerberos AS-REQ/KDC_ERR_PREAUTH_REQUIRED exchange
Bug #4441: 6.0.x: dns: high resource usage on long lived dns connections
Bug #4443: 6.0.x: build: Build failure on FreeBSD
Bug #4450: Properly set the ICMP emergency-bypassed value
Bug #4452: ipv6 & ftp & passive mode & error
Bug #4453: Null-dereference in HTTP2MimicHttp1Request in midstream
Bug #4459: threaded eve: files not closed on deinitialization
Bug #4461: ftp: Memory leak with duplicate FTP expectation
Bug #4463: Incorrect AppLayerResult::incomplete for RDP
Bug #4465: ftp: "g_expectation_data_id" and "g_expectation_id" in AppLayerExpectationHandle function
Bug #4470: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode
Bug #4471: Duplicate alert record in eve log when using unix-socket mode
Bug #4484: Infinite loops in when using InspectionBufferMultipleForList
Bug #4487: Timeout in ftp parsing rs_ftp_active_eprt
Bug #4510: Incorrect flags in Rust
Bug #4518: Buffer overflow in "by_rule" threshold context
Bug #4531: segv with --set cmdline option if incorrect key is provided
Bug #4535: Timeout in ikev2 parsing
Bug #4538: modbus: Memory leak in signature parsing with pcre
Bug #4545: SWF decompression overread

[close]

https://suricata-ids.org/

[SiLæncer]

Whats new:>>

LibHTP has been updated to 0.5.40. This is a required version that is bundled with both releases.
Suricata-Update, as bundled with 6.0.5, was updated to 1.2.4.

Quelle & DL -> https://forum.suricata.io/t/suricata-6-0-5-and-5-0-9-released/2415

https://suricata-ids.org/

[SiLæncer]

RanSim gives you a quick look at the effectiveness of your existing network protection. Find out how vulnerable your network is against ransomware Find out how vulnerable your network is against ransomware and cryptomining attacks attacks. Bad guys are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks?

RanSim will simulate 13 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

Freeware

https://www.knowbe4.com/ransomware-simulator