https://inliniac.net/blog/category/oisf/ Recent content in Oisf on Inliniac Hugo en Wed, 27 Jan 2016 15:33:27 +0000 https://inliniac.net/blog/2016/01/27/suricata-3-0-is-out/ Wed, 27 Jan 2016 15:33:27 +0000 https://inliniac.net/blog/2016/01/27/suricata-3-0-is-out/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2015/11/suri-400x400.png?w=150" alt="suri-400x400">Today, almost 2 years after the release of Suricata 2.0, we released 3.0! This new version of Suricata improves performance, scalability, accuracy and general robustness. Next to this, it brings a lot of new features.</p> <p>New features are too numerous to mention here, but I&rsquo;d like to highlight a few:</p> <ul> <li>netmap support: finally a high speed capture method for our FreeBSD friends, IDS <strong>and</strong> IPS</li> <li>multi-tenancy: single instance, multiple detection configs</li> <li>JSON stats: making it much easier to graph the stats in ELK, etc</li> <li>Much improved Lua support: many more fields/protocols available, output scripts</li> </ul> <p>Check the full list here in the announcement: <a href="http://suricata-ids.org/2016/01/27/suricata-3-0-available/">http://suricata-ids.org/2016/01/27/suricata-3-0-available/</a></p> https://inliniac.net/blog/2015/11/24/new-suricata-release-model/ Tue, 24 Nov 2015 15:54:35 +0000 https://inliniac.net/blog/2015/11/24/new-suricata-release-model/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2015/11/suri-400x400.png" alt="suri-400x400">As the team is back from a very successful week in Barcelona, I&rsquo;d like to take a moment on what we discussed and decided on with regards to development.</p> <p>One thing no one was happy with is how the release schedules are working. Releases were meant to reasonably frequent, but the time between major releases was growing longer and longer. The 2.0 branch for example, is closing in on 2 years as the stable branch. The result is that many people are missing out on many of the improvements we&rsquo;ve been doing. Currently many people using Suricata actually use a beta version, of even our git master, in production!</p> https://inliniac.net/blog/2015/01/08/suricata-has-been-added-to-debian-backports/ Thu, 08 Jan 2015 00:34:50 +0000 https://inliniac.net/blog/2015/01/08/suricata-has-been-added-to-debian-backports/ <p>Thanks to the hard work of Arturo Borrero Gonzalez, Suricata has just been added to the <img src="https://inliniac.net/blog/blog/wp-content/uploads/2015/01/openlogo-100.png" alt="openlogo-100">Debian &lsquo;backports&rsquo; repository. This allows users of Debian stable to run up to date versions of Suricata.</p> <p>The &lsquo;Backports&rsquo; repository makes the Suricata and libhtp packages from Debian Testing available to &lsquo;stable&rsquo; users. As &rsquo;testing&rsquo; is currently in a freeze, it may take a bit of time before 2.0.5 and libhtp 0.5.16 appear.</p> <p>Anyway, here is how to use it.</p> https://inliniac.net/blog/2014/12/23/profiling-suricata-with-jemalloc/ Tue, 23 Dec 2014 15:34:23 +0000 https://inliniac.net/blog/2014/12/23/profiling-suricata-with-jemalloc/ <p>JEMALLOC is a memory allocation library: <a href="http://www.canonware.com/jemalloc/">http://www.canonware.com/jemalloc/</a></p> <p>It offers many interesting things for a tool like Suricata. Ken Steele of EZchip (formerly Tilera) <a href="https://github.com/inliniac/suricata/pull/1233">made me aware of it</a>. In Ken&rsquo;s testing it helps performance.</p> <p><strong>Install</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span>wget http:<span style="color:#f92672">//</span>www<span style="color:#f92672">.</span>canonware<span style="color:#f92672">.</span>com<span style="color:#f92672">/</span>download<span style="color:#f92672">/</span>jemalloc<span style="color:#f92672">/</span>jemalloc<span style="color:#f92672">-</span><span style="color:#ae81ff">3.6</span><span style="color:#f92672">.</span><span style="color:#ae81ff">0.</span>tar<span style="color:#f92672">.</span>bz2 </span></span><span style="display:flex;"><span>tar xvfj jemalloc<span style="color:#f92672">-</span><span style="color:#ae81ff">3.6</span><span style="color:#f92672">.</span><span style="color:#ae81ff">0.</span>tar<span style="color:#f92672">.</span>bz2 </span></span><span style="display:flex;"><span>cd jemalloc<span style="color:#f92672">-</span><span style="color:#ae81ff">3.6</span><span style="color:#f92672">.</span><span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">./</span>configure <span style="color:#f92672">--</span>prefix<span style="color:#f92672">=/</span>opt<span style="color:#f92672">/</span>jemalloc<span style="color:#f92672">/</span> </span></span><span style="display:flex;"><span>make </span></span><span style="display:flex;"><span>sudo make install </span></span></code></pre></div><p>Then use it by preloading it:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>LD_PRELOAD=/opt/jemalloc/lib/libjemalloc.so ./src/suricata -c suricata.yaml -l tmp/ -r ~/sync/pcap/sandnet.pcap -S emerging-all.rules -v </span></span></code></pre></div><p>I haven&rsquo;t benchmarked this, but if you&rsquo;re running a high performance setup it may certainly be worth a shot.</p> https://inliniac.net/blog/2014/09/29/suricata-training-tour/ Mon, 29 Sep 2014 09:25:26 +0000 https://inliniac.net/blog/2014/09/29/suricata-training-tour/ <p>After a lot of preparations, it&rsquo;s finally going to happen: <a href="http://suricata-ids.org/2014/09/23/announcing-the-suricata-training-program/">official Suricata trainings</a>!</p> <p>In the next couple of months I&rsquo;ll be doing at least 3 sessions: <a href="http://suricata-ids.org/2014/09/23/get-trained-in-amsterdam/">a home match (Amsterdam)</a>, a <a href="http://suricata-ids.org/2014/09/25/get-trained-at-hack-lu-in-luxembourg/">workshop in Luxembourg</a> and a session at <a href="http://suricata-ids.org/2014/09/29/get-trained-at-deepsec-in-vienna/">DeepSec</a>. Next to this, we&rsquo;re planning various US based sessions on the East coast and West coast.</p> <p>I&rsquo;m really looking forward to doing these sessions. Other than the official content, there will be plenty of room for questions and discussions.</p> https://inliniac.net/blog/2014/03/25/suricata-2-0-and-beyond/ Tue, 25 Mar 2014 14:37:46 +0000 https://inliniac.net/blog/2014/03/25/suricata-2-0-and-beyond/ <p>Today I finally <a href="http://suricata-ids.org/2014/03/25/suricata-2-0-available/">released Suricata 2.0</a>. The 2.0 branch opened in December 2012. In the little over a year that it&rsquo;s development lasted, we have closed 183 tickets. We made 1174 commits, with the following stats:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>582 files changed, 94782 insertions(+), 63243 deletions(-) </span></span></code></pre></div><p>So, a significant update! In total, 17 different people made commits. I&rsquo;m really happy with how much code and features were contributed. When starting Suricata this was what I really hoped for, and it seems to be working!</p> https://inliniac.net/blog/2013/12/21/suricata-development-update-2/ Sat, 21 Dec 2013 11:47:05 +0000 https://inliniac.net/blog/2013/12/21/suricata-development-update-2/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png?w=300" alt="Suricata">With the holidays approaching and the <a href="http://suricata-ids.org/2013/12/16/suricata-1-4-7-released/">1.4.7</a> and <a href="http://suricata-ids.org/2013/12/18/suricata-2-0beta2-available/">2.0beta2</a> releases out, I thought it was a good moment for some reflection on how development is going.</p> <p>I feel things are going very well. It&rsquo;s great to work with a group that approaches this project from different angles. OISF has budget have people work on overall features, quality and support. Next to that, our consortium supporters help develop the project: Tilera&rsquo;s Ken Steele is working on the Tile hardware support, doing lots optimizations. Many of which benefit performance and overall quality for the whole project. Tom Decanio of Npulse is doing great work on the output side, unifying the outputs to be machine readable. Jason Ish of Emulex/Endace is helping out the configuration API, defrag, etc. Others, both from the larger community and our consortium, are helping as well.</p> https://inliniac.net/blog/2013/11/07/suricata-profiling-per-keyword/ Thu, 07 Nov 2013 14:37:04 +0000 https://inliniac.net/blog/2013/11/07/suricata-profiling-per-keyword/ <p>Last week I&rsquo;ve added some more profiling options to Suricata. It&rsquo;s part of the current git master. It&rsquo;s enabled only when <code>--enable-profiling</code> and then through the suricata.yaml:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>profiling: </span></span><span style="display:flex;"><span> # per keyword profiling </span></span><span style="display:flex;"><span> keywords: </span></span><span style="display:flex;"><span> enabled: yes </span></span><span style="display:flex;"><span> filename: keyword_perf.log </span></span><span style="display:flex;"><span> append: yes </span></span></code></pre></div><p>This will output a table similar to below:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Date: <span style="color:#ae81ff">11</span><span style="color:#f92672">/</span><span style="color:#ae81ff">7</span><span style="color:#f92672">/</span><span style="color:#ae81ff">2013</span> <span style="color:#f92672">--</span> <span style="color:#ae81ff">15</span>:<span style="color:#ae81ff">13</span>:<span style="color:#ae81ff">11</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: total </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>threshold <span style="color:#ae81ff">355324491</span> <span style="color:#ae81ff">190574</span> <span style="color:#ae81ff">409</span> <span style="color:#ae81ff">72276</span> <span style="color:#ae81ff">1864.00</span> <span style="color:#ae81ff">3625.00</span> <span style="color:#ae81ff">1860.00</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">1274592063</span> <span style="color:#ae81ff">534328</span> <span style="color:#ae81ff">196738</span> <span style="color:#ae81ff">312321</span> <span style="color:#ae81ff">2385.00</span> <span style="color:#ae81ff">2424.00</span> <span style="color:#ae81ff">2362.00</span> </span></span><span style="display:flex;"><span>pcre <span style="color:#ae81ff">56626031</span> <span style="color:#ae81ff">11149</span> <span style="color:#ae81ff">824</span> <span style="color:#ae81ff">254562</span> <span style="color:#ae81ff">5079.00</span> <span style="color:#ae81ff">12234.00</span> <span style="color:#ae81ff">4507.00</span> </span></span><span style="display:flex;"><span>byte_test <span style="color:#ae81ff">153287955</span> <span style="color:#ae81ff">128254</span> <span style="color:#ae81ff">32109</span> <span style="color:#ae81ff">67989</span> <span style="color:#ae81ff">1195.00</span> <span style="color:#ae81ff">1658.00</span> <span style="color:#ae81ff">1040.00</span> </span></span><span style="display:flex;"><span>byte_jump <span style="color:#ae81ff">3676404</span> <span style="color:#ae81ff">2041</span> <span style="color:#ae81ff">2041</span> <span style="color:#ae81ff">15939</span> <span style="color:#ae81ff">1801.00</span> <span style="color:#ae81ff">1801.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span>flow <span style="color:#ae81ff">38276182</span> <span style="color:#ae81ff">22842</span> <span style="color:#ae81ff">22842</span> <span style="color:#ae81ff">63987</span> <span style="color:#ae81ff">1675.00</span> <span style="color:#ae81ff">1675.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span>isdataat <span style="color:#ae81ff">580764</span> <span style="color:#ae81ff">558</span> <span style="color:#ae81ff">556</span> <span style="color:#ae81ff">2427</span> <span style="color:#ae81ff">1040.00</span> <span style="color:#ae81ff">1040.00</span> <span style="color:#ae81ff">1017.00</span> </span></span><span style="display:flex;"><span>dsize <span style="color:#ae81ff">2212029</span> <span style="color:#ae81ff">2062</span> <span style="color:#ae81ff">2061</span> <span style="color:#ae81ff">3711</span> <span style="color:#ae81ff">1072.00</span> <span style="color:#ae81ff">1072.00</span> <span style="color:#ae81ff">789.00</span> </span></span><span style="display:flex;"><span>flowbits <span style="color:#ae81ff">1677209</span> <span style="color:#ae81ff">874</span> <span style="color:#ae81ff">870</span> <span style="color:#ae81ff">9873</span> <span style="color:#ae81ff">1919.00</span> <span style="color:#ae81ff">1923.00</span> <span style="color:#ae81ff">884.00</span> </span></span><span style="display:flex;"><span>itype <span style="color:#ae81ff">1653</span> <span style="color:#ae81ff">2</span> <span style="color:#ae81ff">1</span> <span style="color:#ae81ff">1386</span> <span style="color:#ae81ff">826.00</span> <span style="color:#ae81ff">267.00</span> <span style="color:#ae81ff">1386.00</span> </span></span><span style="display:flex;"><span>icode <span style="color:#ae81ff">27383781</span> <span style="color:#ae81ff">93827</span> <span style="color:#ae81ff">2</span> <span style="color:#ae81ff">25545</span> <span style="color:#ae81ff">291.00</span> <span style="color:#ae81ff">1021.00</span> <span style="color:#ae81ff">291.00</span> </span></span><span style="display:flex;"><span>flags <span style="color:#ae81ff">192751968</span> <span style="color:#ae81ff">245519</span> <span style="color:#ae81ff">189709</span> <span style="color:#ae81ff">255639</span> <span style="color:#ae81ff">785.00</span> <span style="color:#ae81ff">753.00</span> <span style="color:#ae81ff">892.00</span> </span></span><span style="display:flex;"><span>urilen <span style="color:#ae81ff">6149297</span> <span style="color:#ae81ff">6142</span> <span style="color:#ae81ff">1099</span> <span style="color:#ae81ff">28299</span> <span style="color:#ae81ff">1001.00</span> <span style="color:#ae81ff">1395.00</span> <span style="color:#ae81ff">915.00</span> </span></span><span style="display:flex;"><span>byte_extract <span style="color:#ae81ff">143091</span> <span style="color:#ae81ff">78</span> <span style="color:#ae81ff">78</span> <span style="color:#ae81ff">7743</span> <span style="color:#ae81ff">1834.00</span> <span style="color:#ae81ff">1834.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: packet </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>flow <span style="color:#ae81ff">38276182</span> <span style="color:#ae81ff">22842</span> <span style="color:#ae81ff">22842</span> <span style="color:#ae81ff">63987</span> <span style="color:#ae81ff">1675.00</span> <span style="color:#ae81ff">1675.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span>dsize <span style="color:#ae81ff">2212029</span> <span style="color:#ae81ff">2062</span> <span style="color:#ae81ff">2061</span> <span style="color:#ae81ff">3711</span> <span style="color:#ae81ff">1072.00</span> <span style="color:#ae81ff">1072.00</span> <span style="color:#ae81ff">789.00</span> </span></span><span style="display:flex;"><span>flowbits <span style="color:#ae81ff">351171</span> <span style="color:#ae81ff">294</span> <span style="color:#ae81ff">290</span> <span style="color:#ae81ff">5526</span> <span style="color:#ae81ff">1194.00</span> <span style="color:#ae81ff">1198.00</span> <span style="color:#ae81ff">884.00</span> </span></span><span style="display:flex;"><span>itype <span style="color:#ae81ff">1653</span> <span style="color:#ae81ff">2</span> <span style="color:#ae81ff">1</span> <span style="color:#ae81ff">1386</span> <span style="color:#ae81ff">826.00</span> <span style="color:#ae81ff">267.00</span> <span style="color:#ae81ff">1386.00</span> </span></span><span style="display:flex;"><span>icode <span style="color:#ae81ff">27383781</span> <span style="color:#ae81ff">93827</span> <span style="color:#ae81ff">2</span> <span style="color:#ae81ff">25545</span> <span style="color:#ae81ff">291.00</span> <span style="color:#ae81ff">1021.00</span> <span style="color:#ae81ff">291.00</span> </span></span><span style="display:flex;"><span>flags <span style="color:#ae81ff">192751968</span> <span style="color:#ae81ff">245519</span> <span style="color:#ae81ff">189709</span> <span style="color:#ae81ff">255639</span> <span style="color:#ae81ff">785.00</span> <span style="color:#ae81ff">753.00</span> <span style="color:#ae81ff">892.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: packet<span style="color:#f92672">/</span>stream payload </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">1203990910</span> <span style="color:#ae81ff">512902</span> <span style="color:#ae81ff">183628</span> <span style="color:#ae81ff">312321</span> <span style="color:#ae81ff">2347.00</span> <span style="color:#ae81ff">2365.00</span> <span style="color:#ae81ff">2337.00</span> </span></span><span style="display:flex;"><span>pcre <span style="color:#ae81ff">28087301</span> <span style="color:#ae81ff">6598</span> <span style="color:#ae81ff">54</span> <span style="color:#ae81ff">254562</span> <span style="color:#ae81ff">4256.00</span> <span style="color:#ae81ff">12279.00</span> <span style="color:#ae81ff">4190.00</span> </span></span><span style="display:flex;"><span>byte_test <span style="color:#ae81ff">153287955</span> <span style="color:#ae81ff">128254</span> <span style="color:#ae81ff">32109</span> <span style="color:#ae81ff">67989</span> <span style="color:#ae81ff">1195.00</span> <span style="color:#ae81ff">1658.00</span> <span style="color:#ae81ff">1040.00</span> </span></span><span style="display:flex;"><span>byte_jump <span style="color:#ae81ff">3676404</span> <span style="color:#ae81ff">2041</span> <span style="color:#ae81ff">2041</span> <span style="color:#ae81ff">15939</span> <span style="color:#ae81ff">1801.00</span> <span style="color:#ae81ff">1801.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span>isdataat <span style="color:#ae81ff">578172</span> <span style="color:#ae81ff">556</span> <span style="color:#ae81ff">554</span> <span style="color:#ae81ff">2427</span> <span style="color:#ae81ff">1039.00</span> <span style="color:#ae81ff">1039.00</span> <span style="color:#ae81ff">1017.00</span> </span></span><span style="display:flex;"><span>byte_extract <span style="color:#ae81ff">143091</span> <span style="color:#ae81ff">78</span> <span style="color:#ae81ff">78</span> <span style="color:#ae81ff">7743</span> <span style="color:#ae81ff">1834.00</span> <span style="color:#ae81ff">1834.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: http uri </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">44775802</span> <span style="color:#ae81ff">13102</span> <span style="color:#ae81ff">8351</span> <span style="color:#ae81ff">60993</span> <span style="color:#ae81ff">3417.00</span> <span style="color:#ae81ff">3257.00</span> <span style="color:#ae81ff">3698.00</span> </span></span><span style="display:flex;"><span>pcre <span style="color:#ae81ff">18284421</span> <span style="color:#ae81ff">3646</span> <span style="color:#ae81ff">97</span> <span style="color:#ae81ff">61338</span> <span style="color:#ae81ff">5014.00</span> <span style="color:#ae81ff">8916.00</span> <span style="color:#ae81ff">4908.00</span> </span></span><span style="display:flex;"><span>isdataat <span style="color:#ae81ff">2592</span> <span style="color:#ae81ff">2</span> <span style="color:#ae81ff">2</span> <span style="color:#ae81ff">1725</span> <span style="color:#ae81ff">1296.00</span> <span style="color:#ae81ff">1296.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span>urilen <span style="color:#ae81ff">6149297</span> <span style="color:#ae81ff">6142</span> <span style="color:#ae81ff">1099</span> <span style="color:#ae81ff">28299</span> <span style="color:#ae81ff">1001.00</span> <span style="color:#ae81ff">1395.00</span> <span style="color:#ae81ff">915.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: http raw uri </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>pcre <span style="color:#ae81ff">9534</span> <span style="color:#ae81ff">2</span> <span style="color:#ae81ff">0</span> <span style="color:#ae81ff">4953</span> <span style="color:#ae81ff">4767.00</span> <span style="color:#ae81ff">0.00</span> <span style="color:#ae81ff">4767.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: http client body </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">1556904</span> <span style="color:#ae81ff">441</span> <span style="color:#ae81ff">181</span> <span style="color:#ae81ff">58476</span> <span style="color:#ae81ff">3530.00</span> <span style="color:#ae81ff">2874.00</span> <span style="color:#ae81ff">3986.00</span> </span></span><span style="display:flex;"><span>pcre <span style="color:#ae81ff">63924</span> <span style="color:#ae81ff">6</span> <span style="color:#ae81ff">6</span> <span style="color:#ae81ff">17358</span> <span style="color:#ae81ff">10654.00</span> <span style="color:#ae81ff">10654.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: http headers </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">23688244</span> <span style="color:#ae81ff">7631</span> <span style="color:#ae81ff">4348</span> <span style="color:#ae81ff">31098</span> <span style="color:#ae81ff">3104.00</span> <span style="color:#ae81ff">3311.00</span> <span style="color:#ae81ff">2829.00</span> </span></span><span style="display:flex;"><span>pcre <span style="color:#ae81ff">9998970</span> <span style="color:#ae81ff">859</span> <span style="color:#ae81ff">667</span> <span style="color:#ae81ff">71904</span> <span style="color:#ae81ff">11640.00</span> <span style="color:#ae81ff">12727.00</span> <span style="color:#ae81ff">7862.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: http stat code </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">80052</span> <span style="color:#ae81ff">39</span> <span style="color:#ae81ff">20</span> <span style="color:#ae81ff">3699</span> <span style="color:#ae81ff">2052.00</span> <span style="color:#ae81ff">2199.00</span> <span style="color:#ae81ff">1898.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: http method </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">476334</span> <span style="color:#ae81ff">203</span> <span style="color:#ae81ff">201</span> <span style="color:#ae81ff">27240</span> <span style="color:#ae81ff">2346.00</span> <span style="color:#ae81ff">2351.00</span> <span style="color:#ae81ff">1846.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: http cookie </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">23817</span> <span style="color:#ae81ff">10</span> <span style="color:#ae81ff">9</span> <span style="color:#ae81ff">2763</span> <span style="color:#ae81ff">2381.00</span> <span style="color:#ae81ff">2384.00</span> <span style="color:#ae81ff">2358.00</span> </span></span><span style="display:flex;"><span>pcre <span style="color:#ae81ff">181881</span> <span style="color:#ae81ff">38</span> <span style="color:#ae81ff">0</span> <span style="color:#ae81ff">13095</span> <span style="color:#ae81ff">4786.00</span> <span style="color:#ae81ff">0.00</span> <span style="color:#ae81ff">4786.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: post<span style="color:#f92672">-</span>match </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>flowbits <span style="color:#ae81ff">1326038</span> <span style="color:#ae81ff">580</span> <span style="color:#ae81ff">580</span> <span style="color:#ae81ff">9873</span> <span style="color:#ae81ff">2286.00</span> <span style="color:#ae81ff">2286.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: threshold </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>threshold <span style="color:#ae81ff">355324491</span> <span style="color:#ae81ff">190574</span> <span style="color:#ae81ff">409</span> <span style="color:#ae81ff">72276</span> <span style="color:#ae81ff">1864.00</span> <span style="color:#ae81ff">3625.00</span> <span style="color:#ae81ff">1860.00</span> </span></span></code></pre></div><p>The first part has the totals for all keywords. After this the stats are broken down per buffer type.</p> https://inliniac.net/blog/2013/09/27/attending-hack-lu-with-the-suricata-team/ Fri, 27 Sep 2013 07:38:15 +0000 https://inliniac.net/blog/2013/09/27/attending-hack-lu-with-the-suricata-team/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2013/09/hacklu.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2013/09/hacklu.png" alt="hacklu"></a> Next month I will be attending <a href="http://2013.hack.lu/index.php/Main_Page">Hack.lu</a>. The entire <a href="http://www.openinfosecfoundation.org/index.php/team">Suricata team</a> will be present as well. We&rsquo;ll be doing several meetings, including a <a href="http://suricata-ids.org/2013/09/20/save-the-date-october-24-2013/">training day</a> on the 24th of October.</p> <p>If you are close and interested in Suricata, please consider joining us. The training is free and does not require you to pay for the conference.</p> https://inliniac.net/blog/2013/04/23/more-on-suricata-lua-flowints/ Tue, 23 Apr 2013 10:17:52 +0000 https://inliniac.net/blog/2013/04/23/more-on-suricata-lua-flowints/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/lua.gif" alt="">This morning I added flowint lua functions for incrementing and decrementing flowints. From the <a href="https://github.com/inliniac/suricata/commit/9571091e53a2103cbc9926242fa2cb003eb412ec">commit</a>:</p> <blockquote> <p>Add flowint lua functions for incrementing and decrementing flowints.</p> <p>First use creates the var and inits to 0. So a call:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span> a = ScFlowintIncr(0) </span></span></code></pre></div><p>Results in a == 1.</p> <p>If the var reached UINT_MAX (2^32), it&rsquo;s not further incremented. If the var reaches 0 it&rsquo;s not decremented further.</p> <p>Calling ScFlowintDecr on a uninitialized var will init it to 0.</p> https://inliniac.net/blog/2013/04/22/suricata-lua-scripting-flowint-access/ Mon, 22 Apr 2013 16:16:30 +0000 https://inliniac.net/blog/2013/04/22/suricata-lua-scripting-flowint-access/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/lua.gif" alt="">A few days ago I wrote about my Emerging Threats sponsored <a href="https://inliniac.net/blog/2013/04/18/suricata-lua-scripting-flowvar-access/" title="Suricata Lua scripting flowvar access">work</a> to support flowvars from Lua scripts in Suricata.</p> <p>Today, I updated that support. Flowvar &lsquo;sets&rsquo; are now real time. This was needed to fix some issues where a script was invoked multiple times in single rule, which can happen with some buffers, like HTTP headers.</p> <p>Also, I implemented flowint support. Flowints in Suricata are integers stored in the flow context.</p> https://inliniac.net/blog/2013/04/19/suricata-handling-of-multiple-different-synacks/ Fri, 19 Apr 2013 07:53:00 +0000 https://inliniac.net/blog/2013/04/19/suricata-handling-of-multiple-different-synacks/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2013/04/synack.png" alt="synack">When processing the TCP 3 way handshake (3whs), Suricata&rsquo;s TCP stream engine will closely follow the setup of a TCP connection to make sure the rest of the session can be tracked and reassembled properly. Retransmissions of SYN/ACKs are silently accepted, unless they are different somehow. If the SEQ or ACK values are different they are considered wrong and events are set. The stream events rules will match on this.</p> https://inliniac.net/blog/2013/04/18/suricata-lua-scripting-flowvar-access/ Thu, 18 Apr 2013 16:36:56 +0000 https://inliniac.net/blog/2013/04/18/suricata-lua-scripting-flowvar-access/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/lua.gif" alt="">Funded by Emerging Threats, I&rsquo;ve been working on giving the lua scripts access to flowvars.</p> <p>Currently only &ldquo;flowvars&rdquo; are done, &ldquo;flowints&rdquo; will be next. Please review the code at: <a href="https://github.com/inliniac/suricata/tree/dev-lua-flowvar">https://github.com/inliniac/suricata/tree/dev-lua-flowvar</a></p> <p>Pcre based flowvar capturing is done in a post-match fashion. If the rule containing the &ldquo;capture&rdquo; matches, the var is stored in the flow.</p> <p>For lua scripting, this wasn&rsquo;t what the rule writers wanted. In this case, the flowvars are stored in the flow regardless of a rule match.</p> https://inliniac.net/blog/2013/03/08/728/ Fri, 08 Mar 2013 14:24:32 +0000 https://inliniac.net/blog/2013/03/08/728/ <p>Major 1.4 update.</p> <p><a href="https://suricata.io/2013/03/08/suricata-1-4-1-released/">https://suricata.io/2013/03/08/suricata-1-4-1-released/</a></p> https://inliniac.net/blog/2012/12/14/on-suricata-1-3-1-4-and-next/ Fri, 14 Dec 2012 10:38:22 +0000 https://inliniac.net/blog/2012/12/14/on-suricata-1-3-1-4-and-next/ <p>So with <a href="http://suricata-ids.org/2012/12/13/suricata-1-4-released/">1.4</a> out the door we have a new stable. However, we&rsquo;re keeping 1.3 around for a few more months to give everyone the chance to plan updating to 1.4. Of course, we think 1.4 is a lot better than anything we released before, so we do recommend updating as soon as you can.</p> <p>Continued support for 1.3 means we&rsquo;ll do more releases to fix critical issues. We&rsquo;ll probably include trivial fixes of smaller problems. When talking about critical issues I mean crash cases mostly. Anything else will be fixed only in 1.4 and up.</p> https://inliniac.net/blog/2012/12/13/suricata-1-4-is-out/ Thu, 13 Dec 2012 17:54:22 +0000 https://inliniac.net/blog/2012/12/13/suricata-1-4-is-out/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png" alt="">About 5 months after 1.3 came out we&rsquo;ve released <a href="http://suricata-ids.org/2012/12/13/suricata-1-4-released/">1.4</a>, and we&rsquo;ve been quite busy. Eric Leblond&rsquo;s post <a href="https://home.regit.org/2012/12/some-statistics-about-suricata-1-4/">here</a> has all the stats and graphs. There are three big new features: <a href="https://inliniac.net/blog/2012/11/29/closing-in-on-suricata-1-4/" title="Closing in on Suricata 1.4">unix socket</a>, <a href="https://inliniac.net/blog/2012/11/21/ip-reputation-in-suricata/" title="IP Reputation in Suricata">ip reputation</a> and <a href="https://inliniac.net/blog/2012/09/21/suricata-luajit-update/" title="Suricata luajit update">luajit</a>. For each of these the same is true: it&rsquo;s usesable now, but it&rsquo;s the potential that we&rsquo;re most excited about. Over the next months we&rsquo;ll be extending each of those to be even more useful. We&rsquo;re very much interested in ideas and feedback.</p> https://inliniac.net/blog/2012/12/11/ipv6-evasions-scanners-and-the-importance-of-staying-current/ Tue, 11 Dec 2012 16:13:49 +0000 https://inliniac.net/blog/2012/12/11/ipv6-evasions-scanners-and-the-importance-of-staying-current/ <p>Lots of activity on the IPv6 front lately. There was a talk on a conference on bypassing IDS using IPv6 tricks. Also a new scan tool (Topera) claimed to scan a host while staying below the radar of an IDS was released. To start with the latter, even though Suricata doesn&rsquo;t have a dedicated port scan detector, the tool&rsquo;s traffic lights up like a Christmas tree. The trick it pulls is to pack a lot of duplicate DST OPTS extension headers in the IPv6 packets. These options are just fillers, the only options they use are the &ldquo;pad&rdquo; option. In Suricata we&rsquo;ve had an event for duplicate DST OPTS headers since 1.3 and the padding only headers generate an event in 1.4. Both alerts will be very noisy, so calling this a stealth attack rather dubious.</p> https://inliniac.net/blog/2012/11/29/closing-in-on-suricata-1-4/ Thu, 29 Nov 2012 16:50:15 +0000 https://inliniac.net/blog/2012/11/29/closing-in-on-suricata-1-4/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png" alt="">I just made <a href="http://suricata-ids.org/2012/11/29/suricata-1-4rc1-available/">Suricata 1.4rc1</a> available with some pretty exciting features: unix socket mode and IP reputation.</p> <p><strong>Unix socket</strong></p> <p>First of all, <a href="https://home.regit.org/2012/09/a-new-unix-command-mode-in-suricata/">Eric Leblond&rsquo;s work</a> on the Unix socket was merged. The unix socket work consists of two parts. The unix socket protocol implementation and a new runmode.</p> <p>The protocol implementation is based on JSON messages over unix socket. Eric will be fully documenting it soon. Currently the commands are limited to shutting down and getting some basic stats. This part isn&rsquo;t very exciting yet, but the groundwork for many future extensions has been laid.</p> https://inliniac.net/blog/2012/11/21/ip-reputation-in-suricata/ Wed, 21 Nov 2012 19:22:01 +0000 https://inliniac.net/blog/2012/11/21/ip-reputation-in-suricata/ <p><em>Disclaimer: this work was sponsored by <a href="http://www.emergingthreatspro.com/">Emerging Threats Pro</a>.</em></p> <p>One thing we&rsquo;ve been talking about for many years at OISF is IP Reputation. The basic idea is that many organizations have information about specific IP-addresses. This information may be that a host is infected, acts as a spam relay or many other things. We&rsquo;ve always thought it might be useful to apply this info to the IDS directly.</p> <p>In the last weeks I&rsquo;ve developed code to load IP reputation information into Suricata. This code is now part of the Suricata git master, so it&rsquo;s available to all.</p> https://inliniac.net/blog/2012/11/01/important-suricata-update/ Thu, 01 Nov 2012 18:16:51 +0000 https://inliniac.net/blog/2012/11/01/important-suricata-update/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png" alt="">We just released <a href="http://suricata-ids.org/2012/11/01/suricata-1-3-3-available/">Suricata 1.3.3</a> which contains some important accuracy fixes. Also, it should be much more robust against out of memory conditions.</p> <p>For those of you running Suricata in IPS mode, this is important as well. We found that rules that have the drop or reject actions, were not playing well with thresholding.</p> <p>So upgrading is highly recommended!</p> <p>Code changes are not too big, largest changes are due to some extra unittests:</p> https://inliniac.net/blog/2012/10/13/setting-up-an-ips-with-fedora-17-suricata-and-vuurmuur/ Sat, 13 Oct 2012 11:07:19 +0000 https://inliniac.net/blog/2012/10/13/setting-up-an-ips-with-fedora-17-suricata-and-vuurmuur/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/08/vuurmuur-connview-small.png" alt=""></p> <p>I recently found out that Fedora includes Vuurmuur in it&rsquo;s repositories. Since Suricata is also included, I figured I would do a quick write up on how to setup a Fedora IPS. While writing it turned more into a real &ldquo;howto&rdquo;, so I decided to submit it to Howtoforge.</p> <p>It can be found <a href="http://www.howtoforge.com/how-to-set-up-an-ips-intrusion-prevention-system-on-fedora-17">here one HowtoForge</a>.</p> <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png" alt="">Vuurmuur on Fedora is at the 0.7 version, which is still the current stable. It&rsquo;s rather old though, and it reminds me again I need to make sure the 0.8 branch gets to a stable release soon. The Suricata included in Fedora 17 is 1.2.1, with <a href="http://suricata-ids.org/2012/10/03/suricata-1-3-2-available/">1.3.2</a> expected to land any day now.</p> https://inliniac.net/blog/2012/10/04/suricata-1-4-development-update/ Thu, 04 Oct 2012 16:51:40 +0000 https://inliniac.net/blog/2012/10/04/suricata-1-4-development-update/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png" alt=""></a> Today, a day after <a href="https://inliniac.net/blog/2012/10/03/suricata-1-3-2-is-out/">1.3.2</a>, we&rsquo;ve released <a href="http://suricata-ids.org/2012/10/04/suricata-1-4beta2-available-for-testing/">1.4beta2</a>. While 1.3.2 is an important update for those running 1.3.1 or lower, today&rsquo;s release is where things get exciting. A lot of things were improved and added. Let me show some numbers first.</p> <p>The 1.4beta2 release is a pretty big update over 1.4beta1 as it touches over 5k lines of code:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>234 files changed, 5033 insertions(+), 3759 deletions(-) </span></span></code></pre></div><p>Compared to 1.4beta2 vs yesterday&rsquo;s 1.3.2 it&rsquo;s clear over 11k lines of code are touched:</p> https://inliniac.net/blog/2012/10/03/suricata-1-3-2-is-out/ Wed, 03 Oct 2012 15:38:28 +0000 https://inliniac.net/blog/2012/10/03/suricata-1-3-2-is-out/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png" alt=""></a> Today we released Suricata 1.3.2. Not a big update, but there are some important fixes in the stream engine, fast_pattern:chop handling, HTTP multipart parsing and the flow keyword with &ldquo;nostream&rdquo;.</p> <p>As the diff stat output shows, it&rsquo;s a rather light maintenance update over 1.3.1: [sourcecode] ChangeLog | 12 ++ libhtp/configure.ac | 2 +- libhtp/htp.pc.in | 2 +- libhtp/htp/htp.h | 2 +- src/app-layer-htp-file.c | 145 ++++++++++++++++++++++++ src/app-layer-htp.c | 192 ++++++++++++++++++++++++++&mdash;&mdash; src/decode.c | 3 + src/decode.h | 1 + src/defrag.c | 4 +- src/detect-engine-content-inspection.c | 9 &ndash; src/detect-flow.c | 68 ++++++++++- src/source-af-packet.c | 9 ++ src/source-ipfw.c | 13 ++- src/source-pfring.c | 28 ++&mdash; src/stream-tcp-reassemble.c | 1 + src/util-cpu.c | 10 +- 16 files changed, 435 insertions(+), 66 deletions(-) [/sourcecode]</p> https://inliniac.net/blog/2012/09/21/suricata-luajit-update/ Fri, 21 Sep 2012 14:49:54 +0000 https://inliniac.net/blog/2012/09/21/suricata-luajit-update/ <p>After an exciting week of meeting and working with the team around the RAID conference, time for another lua update.</p> <p>The keyword supports an interesting set of buffers now:</p> <blockquote> <p>packet payload</p> <p>http.uri http.uri.raw http.request_line http.request_headers http.request_headers.raw http.request_cookie http.request_user_agent http.request_body</p> <p>http.response_headers http.response_headers.raw http.response_body http.response_cookie</p></blockquote> <p>The http keywords are now integrated into their respective inspection engines. This led to one important limitation for now: you can only inspect one such buffer per script.</p> https://inliniac.net/blog/2012/09/08/first-impressions-of-luajit-performance-in-suricata/ Sat, 08 Sep 2012 09:05:09 +0000 https://inliniac.net/blog/2012/09/08/first-impressions-of-luajit-performance-in-suricata/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/lua.gif"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/lua.gif" alt=""></a> Today I decided to look into the potential performance of the luajit keyword a bit. It&rsquo;s important to know if this can perform at reasonable speeds so that we can actually use it in real deployments. Even if we can&rsquo;t the feature may still be appealing though, for offline pcap analysis.</p> <p>So far, the results are rather encouraging.</p> <p>First, I added 2 buffers today: http.uri, which contains the normalized uri (same buffer as the http_uri content modifier inspects) and http.request_line, which is the request line given to us by libhtp. This contains method, separators, uri, HTTP version.</p> https://inliniac.net/blog/2012/09/07/suricata-lua-continued/ Fri, 07 Sep 2012 13:22:33 +0000 https://inliniac.net/blog/2012/09/07/suricata-lua-continued/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/lua.gif"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/lua.gif" alt=""></a> Today I improved the <a href="https://inliniac.net/blog/2012/09/05/suricata-lua-jit-script-keyword/">lua jit support</a> in Suricata further. The scripts will now need to express their &ldquo;needs&rdquo; through an &ldquo;init&rdquo; function in the script that is called only at Suricata startup.</p> <p>The &ldquo;init&rdquo; function fills a lua table. This will allow the user to indicate what buffers the script needs to inspect. The script will then only be invoked when these buffers are actually available, so the script won&rsquo;t have to worry about whether or not some data is unavailable or not. Also, only these buffers are passed to the script, so safing the overhead of copying unnecessary buffers.</p> https://inliniac.net/blog/2012/09/06/first-beta-for-suricata-1-4/ Thu, 06 Sep 2012 15:41:05 +0000 https://inliniac.net/blog/2012/09/06/first-beta-for-suricata-1-4/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png" alt=""></a> The first test release for the new Suricata 1.4 branch as just been released. Some really exciting stuff was added. Let me highlight some of it:</p> <p><strong>AF_PACKET IPS mode:</strong> Eric Leblond has been working on extending the passive AF_PACKET support to support IPS as well. Eric has documented the new feature on his <a href="https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/">blog</a>.</p> <p><strong>TLS logging and certificate storage:</strong> created by contributor Jean-Paul Roliers under guidance of Eric Leblond. As a bonus, a rule keyword to match on certifcate fingerprints.</p> https://inliniac.net/blog/2012/09/05/suricata-development-training-update/ Wed, 05 Sep 2012 18:21:42 +0000 https://inliniac.net/blog/2012/09/05/suricata-development-training-update/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/raid2012small.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/raid2012small.png" alt=""></a> The Suricata development training at RAID 2012 next week is going to happen, so please all <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/162-rsvp-now">RSVP</a>. It&rsquo;s free!</p> <p>If you&rsquo;re planning to attend, please let me know what topics you are interested in. We have core devs in the room, so we can go hardcore on everything from the threading to packet capture to CUDA to pattern matching&hellip; also more straightforward stuff like extending Suricata with new keywords, log modules, etc.</p> https://inliniac.net/blog/2012/09/05/suricata-lua-jit-script-keyword/ Wed, 05 Sep 2012 16:01:10 +0000 https://inliniac.net/blog/2012/09/05/suricata-lua-jit-script-keyword/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/lua.gif"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/lua.gif" alt=""></a> So Will started bugging me (again) on doing scripting from Suricata and I gave in. Just committed extremely immature, incomplete, experimental luajit scripting support.</p> <p>What it does is that it adds a new keyword, &ldquo;luajit&rdquo;. There is one argument, a script name. That script is then loaded from your rules directory and ran against a packet. No flow, http or any of that right now, just packets.</p> <p>Example rule: <code>alert tcp any any -&gt; any any (msg:&quot;LUAJIT test&quot;; luajit:test.lua; sid:1;)</code></p> https://inliniac.net/blog/2012/08/21/suricata-1-3-1-is-out/ Tue, 21 Aug 2012 10:48:27 +0000 https://inliniac.net/blog/2012/08/21/suricata-1-3-1-is-out/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png" alt=""></a> Since this morning Suricata 1.3.1 is available. The main focus of this release was fixing a number of bugs. See the <a href="https://redmine.openinfosecfoundation.org/versions/32">list of closed bugs</a>, the <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/161-suricata-131-available">release notes</a> and the <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_13_to_Suricata_131">upgrade instructions</a>.</p> <p>As a bonus, I applied a set of patches by <a href="https://home.regit.org/">Eric Leblond</a>. Eric has been trying to push AF_PACKET to the limit and has achieved some spectacular results with it. Read all about his quest to get to 10Gbps here on <a href="https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/">Eric&rsquo;s blog</a>.</p> https://inliniac.net/blog/2012/07/13/suricata-development-training/ Thu, 12 Jul 2012 23:13:18 +0000 https://inliniac.net/blog/2012/07/13/suricata-development-training/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/raid2012small.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/raid2012small.png" alt=""></a> We&rsquo;re considering to offer a Suricata development training day around the next OISF brainstorm meeting. That would be in Amsterdam around the RAID conference, in early September.</p> <p>Topics we could cover:</p> <p>- code/development overview - create/extend detect module - create/extend output module - app layer module - proto detection - &hellip;</p> <p>The training would probably be free as it&rsquo;s an excercise for us as well, so we&rsquo;d just want honest feedback in return :)</p> https://inliniac.net/blog/2012/07/10/suricata-on-myricom-capture-cards/ Tue, 10 Jul 2012 15:22:02 +0000 https://inliniac.net/blog/2012/07/10/suricata-on-myricom-capture-cards/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/myricom-sync-adapter-1.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/myricom-sync-adapter-1.png?w=300" alt=""></a> Myricom and OISF just <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/158-myricom-joins-oisf">announced</a> that Myricom joined to OISF consortium to support the development of Suricata. The good folks at Myricom already sent me one of their cards earlier. In this post I&rsquo;ll describe how you can use these cards already, even though Suricata doesn&rsquo;t have native Myricom support yet. So in this guide I&rsquo;ll describe using the Myricom libpcap support.</p> <p><strong>Getting started</strong></p> <p>I&rsquo;m going to assume you installed the card properly, installed the Sniffer driver and made sure that all works. Make sure that in your <em>dmesg</em> you see that the card is in sniffer mode:</p> https://inliniac.net/blog/2012/07/09/suricata-http_user_agent-vs-http_header/ Mon, 09 Jul 2012 18:43:12 +0000 https://inliniac.net/blog/2012/07/09/suricata-http_user_agent-vs-http_header/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/ua-ws.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/ua-ws.png?w=300" alt=""></a> One of the new features in Suricata 1.3 is a new content modifier called <em>http_user_agent</em>. This allows rule writers to match on the User-Agent header in HTTP requests more efficiently. The new keyword is documented in the OISF <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords">wiki</a>. In this post, I&rsquo;ll show it&rsquo;s efficiency with two examples.</p> <p><strong>Example 1: rarely matching UA</strong></p> <p>Consider a signature where the match if on a part of the UA that is very rare, so not part of regular User Agents. In my example &ldquo;abc&rdquo;.</p> https://inliniac.net/blog/2012/07/06/suricata-1-3-released/ Fri, 06 Jul 2012 16:06:52 +0000 https://inliniac.net/blog/2012/07/06/suricata-1-3-released/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png" alt=""></a> Today, almost half a year after the last &ldquo;stable&rdquo; release, we released Suricata 1.3. I think this release is a big step forward with regard to maturity of Suricata. Performance and scalability have been much improved, just like accuracy and stability.</p> <p>The official announcement can be found on the <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/157-suricata-13-available">OISF site</a></p> <p>In the last 6 months a lot of code has been changed:</p> <blockquote> <p>384 files changed, 44332 insertions(+), 18478 deletions(-)</p> https://inliniac.net/blog/2012/06/09/suricata-md5-blacklisting/ Sat, 09 Jun 2012 08:52:22 +0000 https://inliniac.net/blog/2012/06/09/suricata-md5-blacklisting/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/06/md5.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/06/md5.png" alt=""></a> For a few months Suricata has been able to calculate the MD5 checksum of files it sees in HTTP streams. Regardless of extraction to disk, the MD5 could be calculated and logged. Martin Holste created a set of very cool scripts to use the logged MD5 to look it up at VirusTotal and some other similar services. This is done outside of Suricata. One thing I have been wanting to try is matching against these MD5&rsquo;s in Suricata itself.</p> https://inliniac.net/blog/2012/05/29/suricata-scaling-improvements/ Tue, 29 May 2012 15:52:52 +0000 https://inliniac.net/blog/2012/05/29/suricata-scaling-improvements/ <p>For the Suricata 1.3beta1 release, one of our goals was to improve the scalability of the engine when running on many cores. As the graph below shows, we made a good deal of progress.</p> <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/05/suri11vs13.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/05/suri11vs13.png" alt=""></a></p> <p>The blue line is an older 1.1 version, the yellow line is 1.3dev. It clearly shows that 1.1 peaked at 4 cores, then started to get serious contention issues. 1.3dev scales nicely beyond that, up to 24 cores in this test (four 6core AMD cpu&rsquo;s). Tilera recently demonstrated Suricata on their many core systems, running a single Suricata process per cpu. Their cpu&rsquo;s have 36 real cores.</p> https://inliniac.net/blog/2012/03/23/suricata-runmode-changes/ Fri, 23 Mar 2012 07:31:45 +0000 https://inliniac.net/blog/2012/03/23/suricata-runmode-changes/ <p>Yesterday I pushed a patch that changes the default runmode from &ldquo;auto&rdquo; to &ldquo;autofp&rdquo;. The autofp name stands for &ldquo;auto flow pinning&rdquo; and it automatically makes sure all packets belonging to a flow are processed by the same stream, detection and output thread. Until now, the assignment was done with a simple hash calculation. The problem with that is that it doesn&rsquo;t take into account how busy a thread may be.</p> https://inliniac.net/blog/2012/03/23/hello-planet/ Fri, 23 Mar 2012 07:27:44 +0000 https://inliniac.net/blog/2012/03/23/hello-planet/ <p>We recently set up a Planet for Suricata, see the official announcement <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/148-planet-suricata-launched">here</a>.</p> <p>All my posts tagged &ldquo;suricata&rdquo; will automatically appear on it. Excited about it!</p> <p><a href="https://planet.suricata-ids.org/">https://planet.suricata-ids.org/</a></p> https://inliniac.net/blog/2012/03/07/f-secure-av-updates-and-suricata-ips/ Wed, 07 Mar 2012 07:28:38 +0000 https://inliniac.net/blog/2012/03/07/f-secure-av-updates-and-suricata-ips/ <p>My ISP recently started providing 3 F-Secure AV copies to each of their customers. I installed it but noticed that updates timed out.</p> <p>It turned out that Suricata, which runs in IPS mode, blocked the update. There were 3 Emerging Threats rules that alerted:</p> <blockquote> <p>[1:2003614:4] ET VIRUS WinUpack Modified PE Header Inbound [1:2009557:2] ET TROJAN Yoda&rsquo;s Protector Packed Binary [1:2012086:2] ET SHELLCODE Possible Call with No Offset TCP Shellcode</p></blockquote> <p>It seems that F-Secure uses some form of packed binaries for their updates that is often used by malware.</p> https://inliniac.net/blog/2012/01/11/http-parsing-events-in-suricata/ Wed, 11 Jan 2012 19:09:17 +0000 https://inliniac.net/blog/2012/01/11/http-parsing-events-in-suricata/ <p>With the 1.2rc1 release you will notice no more HTTP errors on the screen. Or SMTP errors. This output has been disabled finally. This was a long time annoyance.</p> <p>As you may still be interested in the errors they are now available through the rule language. In rules/http-events.rules and rules/smtp-events.rules rules for all possible events/errors can be found.</p> <p>Example: <code>app-layer-event:http.missing_host_header;</code></p> <p>This will match on HTTP/1.1 requests without a Host header.</p> https://inliniac.net/blog/2011/12/07/suricata-1-1-1-released/ Wed, 07 Dec 2011 18:34:50 +0000 https://inliniac.net/blog/2011/12/07/suricata-1-1-1-released/ <p>A maintenance update for the Suricata 1.1 series was just released. It fixed an important issue. In some cases Suricata could crash on SMTP traffic.</p> <p>The full announcement for the 1.1.1 release is <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/140-suricata-111-available">here</a>.</p> <p>Naturally, the issue has also been fixed in the 1.2 development branch.</p> https://inliniac.net/blog/2011/11/29/file-extraction-in-suricata/ Tue, 29 Nov 2011 16:27:27 +0000 https://inliniac.net/blog/2011/11/29/file-extraction-in-suricata/ <p>Today I pushed out a new feature in Suricata I&rsquo;m very excited about. It has been long in the making and with over 6000 new lines of code it&rsquo;s a significant effort. It&rsquo;s available in the current git master. I&rsquo;d consider it alpha quality, so handle with care.</p> <p>So what is this all about? Simply put, we can now extract files from HTTP streams in Suricata. Both uploads and downloads. Fully controlled by the rule language. But thats not all. I&rsquo;ve added a touch of magic. By utilizing libmagic (this powers the &ldquo;file&rdquo; command), we know the file type of files as well. Lots of interesting stuff that can be done there.</p> https://inliniac.net/blog/2011/11/10/suricata-1-1-released-1-2-on-the-horizon/ Thu, 10 Nov 2011 16:51:52 +0000 https://inliniac.net/blog/2011/11/10/suricata-1-1-released-1-2-on-the-horizon/ <p>Today we released <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/139-suricata-11-available">Suricata 1.1</a>. This ends a rather long development cycle of more than a year. And it shows. Performance, accuracy and features were all greatly improved. I think it&rsquo;s the best Suricata so far. If you&rsquo;ve been looking at trying Suricata, now might be a good time to jump in.</p> <p>The long development cycles should be something of the past. At our last brainstorm session, at RAID 2011, we decided to change our release policy. The aim of this policy is to do time based releases, roughly a &ldquo;stable&rdquo; every 2 months and a beta every other month. This way we&rsquo;ll be making it much easier for users to stay current without have to run our &ldquo;git master&rdquo;.</p> https://inliniac.net/blog/2011/10/12/suricata-and-pcre-performance/ Wed, 12 Oct 2011 18:26:19 +0000 https://inliniac.net/blog/2011/10/12/suricata-and-pcre-performance/ <p><strong>Update:</strong> Will Metcalf <a href="https://twitter.com/#!/node5/status/124193666377064448">pointed out</a> I was missing the &ndash;enable-utf8 &ndash;enable-unicode-properties flags from PCRE, so added these &amp; updated the numbers. Thanks Will.</p> <p>In the Emerging Threats community the following if often heard: &ldquo;PCRE is evil&rdquo;. With this people refer to signatures that use &ldquo;pure&rdquo; PCRE matches, meaning without anchoring it to a content pattern match.</p> <p>A while ago Will Metcalf initiated work to get Suricata to support a new PCRE feature by Herczeg Zoltán: <a href="http://sljit.sourceforge.net/pcre.html">SLJIT</a>. Since then, support for this has found it&rsquo;s way into the official PCRE release, currently at version <a href="https://lists.exim.org/lurker/message/20111011.103546.de2e9e31.en.html">8.20-RC3</a>.</p> https://inliniac.net/blog/2011/09/24/raid-2011-thoughts/ Sat, 24 Sep 2011 16:09:24 +0000 https://inliniac.net/blog/2011/09/24/raid-2011-thoughts/ <p>The last few days I&rsquo;ve been at the Recent Advances in Intrusion Detection (RAID) conference in California. Overall it has been a very pleasant and interesting experience. The nice California weather was certainly helping a lot!</p> <p>I&rsquo;ve seen all talks and some were very interesting. However, being a Suricata IDS developer, I was not just interested in research for the hell of it, but I was actively scouting for ideas we could implement into Suricata. In this respect the conference was highly disappointing. Although with some of the talks I thought the idea was applicable in general security, like Erik Bosmans high speed memory tainting detection, I found nothing like that for NIDS.</p> https://inliniac.net/blog/2011/01/31/suricata-ips-improvements/ Mon, 31 Jan 2011 20:51:25 +0000 https://inliniac.net/blog/2011/01/31/suricata-ips-improvements/ <p>January has been a productive month for Suricata, especially for the IPS part of it. I&rsquo;ve quite some time on adding support to the stream engine to operate differently when running inline. This was needed as dropping attacks found in the reassembled stream or the application layer was not reliable. Up until now the stream engine would offer the reassembled stream to the detection engine as soon as it was ACK&rsquo;d. This meant that by definition the packets containing the data had already passed the IPS device. Simply switching to sending un-ACK&rsquo;d data to the detection engine would have it&rsquo;s own set of issues.</p> https://inliniac.net/blog/2010/12/31/one-year-of-public-suricata/ Fri, 31 Dec 2010 19:36:42 +0000 https://inliniac.net/blog/2010/12/31/one-year-of-public-suricata/ <p>Today exactly one year ago we released the first public version of Suricata, tagged 0.8.0. It was the first beta version. Six months later we released Suricata 1.0.0, the first stable release. Since then we&rsquo;ve been doing 3 more releases: 1.0.1, 1.0.2 and 1.1 beta 1.</p> <p>It has been an very exciting year, with a lot of press and community interest for our project. Also, a lot of work has been done in the past year. I already wrote that our performance has increased <a href="http://www.inliniac.net/blog/2010/12/18/suricata-development-update.html">a lot</a>.</p> https://inliniac.net/blog/2010/12/24/listening-on-multiple-interfaces-with-suricata/ Fri, 24 Dec 2010 13:13:24 +0000 https://inliniac.net/blog/2010/12/24/listening-on-multiple-interfaces-with-suricata/ <p>A question I see quite often is, can I listen on multiple interfaces with a single Suricata instance? Until now the answer always was &ldquo;no&rdquo;. I&rsquo;d suggest trying the &ldquo;any&rdquo;-pseudo interface (suricata -i any), with an bpf to limit the traffic or using multiple instances of Suricata. That last suggestion was especially painful, as one of the goals of Suricata is to allow a single process to process all packets using all available resources.</p> https://inliniac.net/blog/2010/12/21/suricata-1-1beta1-released/ Tue, 21 Dec 2010 17:56:32 +0000 https://inliniac.net/blog/2010/12/21/suricata-1-1beta1-released/ <p>Today we&rsquo;ve released Suricata 1.1 beta 1, the first beta of the upcoming Suricata 1.1 release. The official release announcement is <a href="http://openinfosecfoundation.org/index.php/component/content/article/1-latest-news/108-suricata-11-beta-1-released">here on the OISF website</a>.</p> <p>The main focus of the new release has been to improve performance and to add support to the features the new ET/ETpro ruleset needs. ET and ETpro have rulesets specially tuned and geared for Suricata. We&rsquo;re still missing some new rule keywords that are used by VRT, so in the 1.1 beta 2 release we&rsquo;ll address that.</p> https://inliniac.net/blog/2010/12/18/suricata-development-update/ Fri, 17 Dec 2010 22:39:48 +0000 https://inliniac.net/blog/2010/12/18/suricata-development-update/ <p>The last months we&rsquo;ve been working hard on improving Suricata. So hard actually, that we&rsquo;ve drifted a bit from our original goal of doing a 1.0.3 &ldquo;maintenance&rdquo; release. Instead, the new release will be 1.1beta1. The change to 1.1 is to indicate the large number of changes, the beta1 is to &hellip; indicate the large number of changes :)</p> <p>As you may know, Will Metcalf moved on to join Qualys. A significant loss to our project as Will was one of our founding members and is hard to replace in his role as QA lead. Not having a full time QA person on the team right now is a reason for us to decide we&rsquo;re in need of a beta cycle for the next release.</p> https://inliniac.net/blog/2010/10/21/speeding-up-suricata-with-tcmalloc/ Thu, 21 Oct 2010 12:10:33 +0000 https://inliniac.net/blog/2010/10/21/speeding-up-suricata-with-tcmalloc/ <p>&rsquo;tcmalloc&rsquo; is a library Google created as part of the <a href="http://code.google.com/p/google-perftools/">google-perftools suite</a> for speeding up memory handling in a threaded program. It&rsquo;s very simple to use and does work fine with Suricata. Don&rsquo;t expect magic from it, but it should give you a few percent more speed.</p> <p>On Ubuntu, install the libtcmalloc-minimal0 package:</p> <blockquote> <p>apt-get install libtcmalloc-minimal0</p></blockquote> <p>Then run Suricata as follows (on a single line):</p> <blockquote> <p>LD_PRELOAD=&quot;/usr/lib/libtcmalloc_minimal.so.0&quot; ./src/suricata -c suricata.yaml -i eth0</p> https://inliniac.net/blog/2010/09/02/suricata-1-0-2-released/ Thu, 02 Sep 2010 17:36:38 +0000 https://inliniac.net/blog/2010/09/02/suricata-1-0-2-released/ <p>After some well deserved vacation I&rsquo;m getting back up to speed in Suricata development. Luckily most of our dev team continued to work in my absence, making today&rsquo;s 1.0.2 release possible.</p> <p>The main focus of this release was fixing the TCP stream engine. <a href="http://twitter.com/judy_novak">Judy Novak</a> found a number of ways to evade detection. See her <a href="http://www.packetstan.com/2010/09/suricata-tcp-evasions.html">blog post</a> describing the issues.</p> <p>The biggest other change is the addition of a new application layer module. The SSH parser parses SSH sessions and stops detection/inspection of the stream after the encrypted part of the session has started. So this is mainly a module focused on reducing the number of packets that need inspection, just like the SSL and TLS modules.</p> https://inliniac.net/blog/2010/07/29/suricata-1-0-1-released/ Thu, 29 Jul 2010 19:38:06 +0000 https://inliniac.net/blog/2010/07/29/suricata-1-0-1-released/ <p>After a 1.0 release that certainly didn&rsquo;t go unnoticed, it&rsquo;s now time for the first maintenance release. The main focus of this release was improving detection accuracy. A large number of false positives and false negatives were fixed. Read the full announcement <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/102-suricata-101-released">here</a>, the list of fixed issues <a href="https://redmine.openinfosecfoundation.org/versions/show/10">here</a>.</p> <p>There are still a number of open issues with regard to accuracy. Those will be addressed in 1.0.2, scheduled for late August, early September. We&rsquo;re working on improving CUDA, stream engine improvements and inline mode as well. Keep an eye on <a href="https://redmine.openinfosecfoundation.org/versions/show/12">redmine</a> for the open and fixed issues.</p> https://inliniac.net/blog/2010/07/22/on-suricata-performance/ Thu, 22 Jul 2010 08:26:54 +0000 https://inliniac.net/blog/2010/07/22/on-suricata-performance/ <p>Lots of fuzz in the media about Suricata&rsquo;s performance versus Snort yesterday. Some claiming Suricata is much faster, others claiming Snort is much faster.</p> <p>At this point I really don&rsquo;t care much. What the Suricata development by the OISF has shown in my opinion is that we&rsquo;ve managed to create a very promising new Open Source project out here. In little over a year, funded for about $600k by the US government and with heavy (and growing) industry support, we&rsquo;ve produced a new IDS/IPS engine mostly compatible with Snort but build on a all new code base an incorporating some very interesting fresh ideas. We&rsquo;re already seeing a community form around our project with a lot of support from that new community.</p> https://inliniac.net/blog/2010/07/01/suricata-1-0-0-released/ Thu, 01 Jul 2010 16:21:11 +0000 https://inliniac.net/blog/2010/07/01/suricata-1-0-0-released/ <p>After many months of hard work by the development team of the OISF, we have just released the first stable release of Suricata: <a href="http://openinfosecfoundation.org/index.php/component/content/article/1-latest-news/98-suricata-100-released">1.0.0</a>. I&rsquo;m really proud we pulled it off to create this stable release and to do it on time.</p> <p>I think it&rsquo;s a good release too. Is it perfect? No, we have a list <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues">known issues</a> that we will continue to work on. So expect a <a href="http://redmine.openinfosecfoundation.org/versions/show/10">1.0.1</a> and maybe more maintenance releases in the following weeks.</p> https://inliniac.net/blog/2010/06/30/ohloh/ Wed, 30 Jun 2010 08:47:54 +0000 https://inliniac.net/blog/2010/06/30/ohloh/ <p><a href="https://www.ohloh.net/">Ohloh</a> is a pretty cool site for keeping track of projects and programmers. It&rsquo;s an easy way to keep track of the development in a project and gives a nice indication of how actively it&rsquo;s being developed. It has some social networkish features too, such as individual developers giving each other &ldquo;kudos&rdquo;.</p> <p>The code analysis is pretty nice: it gives statistics on code base size, growth, comment ratio, languages used, etc. Per developer it tracks quite a few stats as well.</p> https://inliniac.net/blog/2010/05/10/setting-up-suricata-0-9-0-for-initial-use-on-ubuntu-lucid-10-04/ Mon, 10 May 2010 14:27:25 +0000 https://inliniac.net/blog/2010/05/10/setting-up-suricata-0-9-0-for-initial-use-on-ubuntu-lucid-10-04/ <p>The last few days I blogged about compiling Suricata in <a href="http://www.inliniac.net/blog/2010/05/07/compiling-suricata-0-9-0-in-ubuntu-lucid-10-04-in-ids-mode.html">IDS</a> and <a href="http://www.inliniac.net/blog/2010/05/07/compiling-suricata-0-9-0-in-ubuntu-lucid-10-04-in-ips-inline-mode.html">IPS</a> mode. Today I&rsquo;ll write about how to set it up for first use.</p> <p>Starting with Suricata 0.9.0 the engine can run as an unprivileged user. For this create a new user called &ldquo;suricata&rdquo;.</p> <blockquote> <p>useradd &ndash;no-create-home &ndash;shell /bin/false &ndash;user-group &ndash;comment &ldquo;Suricata IDP account&rdquo; suricata</p></blockquote> <p>This command will create a user and group called &ldquo;suricata&rdquo;. It will be unable to login as the shell is set to /bin/false.</p> https://inliniac.net/blog/2010/05/07/compiling-suricata-0-9-0-in-ubuntu-lucid-10-04-in-ips-inline-mode/ Fri, 07 May 2010 08:30:30 +0000 https://inliniac.net/blog/2010/05/07/compiling-suricata-0-9-0-in-ubuntu-lucid-10-04-in-ips-inline-mode/ <p><strong>Note:</strong> the difference with the <a href="http://www.inliniac.net/blog/2010/05/01/compiling-suricata-0-8-2-in-ubuntu-lucid-10-04-in-ips-inline-mode.html">0.8.2 post</a> is that addition of libcap-ng-dev. This allows Suricata to run as an unprivileged user.</p> <p>Here is how to compile Suricata 0.9.0 in <em>inline mode</em> on Ubuntu Lucid 10.04.</p> <p>First, make sure you have the &ldquo;universe&rdquo; repository enabled. Go to the System menu, Administration, Software Sources. There enable &ldquo;Community-maintained Open Source Software (universe)&rdquo;. If you&rsquo;re not running a gui, edit /etc/apt/sources.list and enable the universe repository there. Don&rsquo;t forget doing an &ldquo;apt-get update&rdquo;.</p> https://inliniac.net/blog/2010/05/07/suricata-0-9-0-released/ Fri, 07 May 2010 08:08:45 +0000 https://inliniac.net/blog/2010/05/07/suricata-0-9-0-released/ <p>Yesterday we released we first release candidate for our upcoming 1.0 release of Suricata. See the announcement on the OISF site <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/93-suricata-rc1-released">here</a>.</p> <p>Most notable changes are the following new features:</p> <p>- Support for the http_headers keyword was added</p> <p>- libhtp was updated to version 0.2.3</p> <p>- Privilege dropping using libcap-ng is now supported</p> <p>- Proper support for &ldquo;pass&rdquo; rules was added</p> <p>- Inline mode for Windows was added</p> <p>Go get the release here: <a href="http://www.openinfosecfoundation.org/download/suricata-0.9.0.tar.gz">http://www.openinfosecfoundation.org/download/suricata-0.9.0.tar.gz</a></p> https://inliniac.net/blog/2010/05/01/compiling-suricata-0-8-2-in-ubuntu-lucid-10-04-in-ips-inline-mode/ Sat, 01 May 2010 19:45:12 +0000 https://inliniac.net/blog/2010/05/01/compiling-suricata-0-8-2-in-ubuntu-lucid-10-04-in-ips-inline-mode/ <p>Yesterday I <a href="http://www.inliniac.net/blog/2010/04/30/compiling-suricata-0-8-2-in-ubuntu-lucid-10-04-in-ids-mode.html">wrote</a> about how to compile and install Suricata 0.8.2 as an IDS on Ubuntu Lucid 10.04, today I&rsquo;ll explain the steps to compile and install it as an IPS. In IPS mode the engine runs in <em>inline</em> mode. This means that it gets it&rsquo;s packets from <a href="http://www.netfilter.org/">netfilter</a> and sets a verdict on them after inspecting them. This way we can drop packets that trigger the rules.</p> <p>First, make sure you have the &ldquo;universe&rdquo; repository enabled. Go to the System menu, Administration, Software Sources. There enable &ldquo;Community-maintained Open Source Software (universe)&rdquo;. If you&rsquo;re not running a gui, edit /etc/apt/sources.list and enable the universe repository there. Don&rsquo;t forget doing an &ldquo;apt-get update&rdquo;.</p> https://inliniac.net/blog/2010/04/19/suricata-0-8-2-released/ Mon, 19 Apr 2010 20:38:28 +0000 https://inliniac.net/blog/2010/04/19/suricata-0-8-2-released/ <p>Today the OISF development team released 0.8.2 of the Suricata IDS/IPS engine. I feel this is definitely the best release so far. Read the announcement <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/92-suricata-0-8-2-released">here</a>. In short, stability was improved, memory footprint reduced, performance improved and new features were added.</p> <p>One of the tools we used to help improve the engine is a fuzzer created by Will Metcalf, our QA lead. In short, the script takes a pcap file, runs it through editcap (part of wireshark) altering a number of random bytes, then feeds the altered pcap file to Suricata. This resulted in many interesting corner cases. Naturally the script makes sure you don&rsquo;t forget to enable &ldquo;ulimit -c unlimited&rdquo; and such :) More on that script can be found on Will&rsquo;s blog <a href="http://node5.blogspot.com/2010/04/help-us-make-our-meerkat-fuzzier.html">node5</a>.</p> https://inliniac.net/blog/2010/02/20/suricata-has-experimental-cuda-support/ Sat, 20 Feb 2010 16:49:55 +0000 https://inliniac.net/blog/2010/02/20/suricata-has-experimental-cuda-support/ <p>One area of interest in the development of Suricata is hardware acceleration. Using the GPU is particularly interesting, as they are cheap and widely available. We&rsquo;ve been looking at using the GPU to speed up pattern matching as a first step. Since OpenCL promises to be a cross platform multi vendor API for doing this we first looked at OpenCL. But we were never able to get something stable out of it, not on the NVIDIA drivers in Linux anyway. As that didn&rsquo;t go anywhere we decided to use CUDA for the time being. CUDA obviously is NVIDIA only. Once we have CUDA fully running we may revisit OpenCL or look at other implementations like AMD/ATI&rsquo;s stream API.</p> https://inliniac.net/blog/2010/02/20/suricata-0-8-1-released/ Sat, 20 Feb 2010 16:14:41 +0000 https://inliniac.net/blog/2010/02/20/suricata-0-8-1-released/ <p>Yesterday the OISF development team released <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/86-suricata-081-released">Suricata 0.8.1</a>. This release is much improved from our December 31st release. It is way more stable, performs better and has more features. Thanks to the now included HTP library we have much better HTTP handling. The stream engine has seen massive improvements. Initial experimental CUDA code has been added. Initial Win32 support has been added. We&rsquo;ve added number of missing rule keywords. Many <a href="https://redmine.openinfosecfoundation.org/projects/suricata/issues?fixed_version_id=3&amp;set_filter=1&amp;status_id=c">bugs</a> were fixed.</p> https://inliniac.net/blog/2010/01/04/suricata-debugging/ Mon, 04 Jan 2010 14:51:54 +0000 https://inliniac.net/blog/2010/01/04/suricata-debugging/ <p>If you&rsquo;re running into issues with Suricata, it may be worth spending some time looking at the debugging options.</p> <p>To enable the debugging code, pass &ldquo;&ndash;enable-debug&rdquo; to configure.</p> <blockquote> <p>./configure &ndash;enable-debug</p></blockquote> <p>And make &amp; make install again. Make sure that during compilation you see -DDEBUG in the gcc commands.</p> <p>Then to really enable it at runtime, pass the SC_LOG_LEVEL</p> <blockquote> <p>SC_LOG_LEVEL=Debug</p></blockquote> <p>Depending on how you run the engine, this will output massive amounts of debugging info. Thats why we added a pcre regex filter option.</p> https://inliniac.net/blog/2009/12/31/suricata-released/ Thu, 31 Dec 2009 21:12:18 +0000 https://inliniac.net/blog/2009/12/31/suricata-released/ <p>Today we&rsquo;ve finally released the first public version of Suricata, the Open Source IDS/IPS developed by the Open Information Security Foundation. With a team of great people we&rsquo;ve been working really hard to get this ready. Please see the full announcement <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/82-suricata-beta-available">here</a>.</p> <p>As it&rsquo;s lead developer I&rsquo;m very much interested in getting feedback, bug reports and such. We run our ticket system in a redmine install at <a href="https://redmine.openinfosecfoundation.org/">https://redmine.openinfosecfoundation.org/</a> If you have any feedback, please register an account and let us know what you think.</p> https://inliniac.net/blog/2009/12/30/first-suricata-release-tomorrow/ Wed, 30 Dec 2009 20:25:30 +0000 https://inliniac.net/blog/2009/12/30/first-suricata-release-tomorrow/ <p>Things here at OISF are crazy busy since we&rsquo;re wrapping up our first version of the engine. Tomorrow there will be a first <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/80-first-release-of-suricata-available-tomorrow">release</a>! Stay tuned!</p> https://inliniac.net/blog/2009/10/31/oisf-engine-on-arm/ Sat, 31 Oct 2009 21:40:22 +0000 https://inliniac.net/blog/2009/10/31/oisf-engine-on-arm/ <p>Today I installed a Qemu virtual machine with the ARM architecture. I think ARM is becoming an interesting architecture as smartphones and many home routers use it. I was interested in seeing if our OISF engine would compile and run properly on it. So far it seems really well. Compilation was without issue, all our current 800+ unittests ran successfully and it seems to run just fine so far. Too bad the virtual machine is so slow though&hellip;</p> https://inliniac.net/blog/2009/09/30/oisf-engine-development-update2/ Wed, 30 Sep 2009 18:30:37 +0000 https://inliniac.net/blog/2009/09/30/oisf-engine-development-update2/ <p>Another quick update on the development of the OISF engine. Overall development is going great. Basics like signature keywords, stream reassembly, ip defragmentation are nearing completion. Unified1 + barnyard was already working for quite some time, but now we also have unified2 compatible output. I&rsquo;ve tested this to work with barnyard2 and Sguil which works nicely.</p> <p>We have the first versions of our new YAML based configuration format checked in, a brand new logging API, midstream pickup support in our Stream engine, native PFRING support and many other additions.</p> https://inliniac.net/blog/2009/08/16/oisf-engine-development-update/ Sun, 16 Aug 2009 14:17:32 +0000 https://inliniac.net/blog/2009/08/16/oisf-engine-development-update/ <p>The last month has been crazy busy. Development of the engine is progressing nicely. My own role has been assigning tasks to our coders, guiding them, reviewing their work, integrating it and of course write code. We currently have nine people coding, not all full time though, and are still looking for more coders.</p> <p>Progress has been made on a number of things: we have many more decoders, threading updates, a stats subsystem, stream tracking and reassembly, a L7 protocol parser framework and many more unittests. We&rsquo;re working on OpenCL hardware accelaration, although we&rsquo;re running into driver issues, so that may take some time before it&rsquo;s usable.</p> https://inliniac.net/blog/2009/07/21/dc-meeting/ Tue, 21 Jul 2009 16:33:27 +0000 https://inliniac.net/blog/2009/07/21/dc-meeting/ <p>So I just got back from Washington D.C. where we had our first public meeting for the <a href="http://www.openinfosecfoundation.org/">OISF</a>. I think it went very well as there were more people than expected. The attendees came from all parts from the industry &amp; government. Overall reception was very positive and we&rsquo;ve gotten many offers for help in development &amp; testing.</p> <p>Around the public meetings we had private meetings with a number of companies and I&rsquo;m very happy that three of them commited to the project already:</p> https://inliniac.net/blog/2009/06/30/oisf-meeting-in-dc-next-july/ Tue, 30 Jun 2009 08:26:56 +0000 https://inliniac.net/blog/2009/06/30/oisf-meeting-in-dc-next-july/ <p>We&rsquo;re doing a public OISF meeting in DC next July. Everyone thats interested, please show up! Here is the original announcement:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>We&#39;ll be having a public forum and brainstorming session in Washington </span></span><span style="display:flex;"><span>DC on July 16th, 2009! This session will be a mix of technical and </span></span><span style="display:flex;"><span>political issues. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>We encourage our current and potential consortium members, potential </span></span><span style="display:flex;"><span>users and resellers, as well as future end users to attend. We very much </span></span><span style="display:flex;"><span>want to hear from all in a discussion format what is most important to </span></span><span style="display:flex;"><span>you, and what you need to have in the next iteration of IDS. The </span></span><span style="display:flex;"><span>discussion on the lists has been great, but most often even better </span></span><span style="display:flex;"><span>things come to life when a lot of smart folks are in the same room at </span></span><span style="display:flex;"><span>the same time, as we&#39;ve seen at our prior brainstorming sessions. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>We&#39;ll be getting quite technical, but we&#39;ll also answer any and every </span></span><span style="display:flex;"><span>question about the politics, goals, and funding sources of the </span></span><span style="display:flex;"><span>foundation. We know this is a very strange situation we have, being </span></span><span style="display:flex;"><span>funded by DHS to create open source security software. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>So please plan to attend, July 16th in Washington DC, at the SRI </span></span><span style="display:flex;"><span>Building in Rosslyn: </span></span><span style="display:flex;"><span>http://www.sri.com/contact/wdc.html </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>If you plan to or are rather sure you&#39;ll be there please drop an email </span></span><span style="display:flex;"><span>to Matt Jonkman, we need an approximate headcount for the </span></span><span style="display:flex;"><span>catering, provided courtesy of SRI. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>If you can&#39;t make this one don&#39;t worry, we are planning similar meetings </span></span><span style="display:flex;"><span>through the development cycle on the west coast and in Europe. We want </span></span><span style="display:flex;"><span>to hear every idea we can get! </span></span></code></pre></div><p>I&rsquo;ll be there personally, as will (most of) the rest of the team be. Look forward to meeting everyone there!</p> https://inliniac.net/blog/2009/05/28/chicago/ Thu, 28 May 2009 14:12:12 +0000 https://inliniac.net/blog/2009/05/28/chicago/ <p>Next week I&rsquo;ll be in Chicago, IL for a OISF team meeting. We&rsquo;ll be discussing features, work flow, job applications, contractors, etc. I&rsquo;ll probably update my blog from there on the progress. If you&rsquo;re interested in OISF and/or you&rsquo;re around there, please let me know. Maybe we can try to meet up!</p> https://inliniac.net/blog/2009/05/13/oisf-bylaws-draft-up-for-comments/ Wed, 13 May 2009 06:34:44 +0000 https://inliniac.net/blog/2009/05/13/oisf-bylaws-draft-up-for-comments/ <p>The OISF is a non profit foundation and we&rsquo;ve created a bylaws document to govern it that is now up for comments. See the announcement <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/60-consortium-bylaws-draft-available">here</a>. It&rsquo;s a draft so if you have comments about it, please speak up soon so we can see if it needs to be adjusted!</p> <p>One thing that excites me a lot is that it also specifies the OSS license we&rsquo;re going to use: the GPLv3.</p> https://inliniac.net/blog/2009/05/13/oisf-is-hiring/ Wed, 13 May 2009 06:31:29 +0000 https://inliniac.net/blog/2009/05/13/oisf-is-hiring/ <p>Funny how things go: not long ago I posted here that I was looking for (contract) work, today I&rsquo;m posting that we&rsquo;re looking for people to work for us at the OISF project :)</p> <p>Anyway, have a look at Matt Jonkman&rsquo;s announcement <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/59-now-hiring?e6504ae48c99f09df7f58996aacbb6b0=ee6387607d6524415ebf94a941ed5ddb">here</a>.</p> <p>If you&rsquo;re interested or know someone that is, please contact us!</p> https://inliniac.net/blog/2009/03/31/oisf-engine-prototype-streams-handling/ Tue, 31 Mar 2009 15:36:27 +0000 https://inliniac.net/blog/2009/03/31/oisf-engine-prototype-streams-handling/ <p>I&rsquo;ve been thinking about how to deal with streams in the OISF engine. We need to do stream reassembly to be able to handle spliced sessions, otherwise it would be very easy to evade detection. Snort traditionally used an approach of inspecting the packets individually and reassembling (part of) the stream in a pseudo packet, that was inspected mostly like a normal packet. Recent Snort versions, especially when Stream5 was introduced, have a so called stream api. This enables detection modules to control the reassembly better.</p> https://inliniac.net/blog/2009/02/28/oisf-engine-prototype-threading/ Sat, 28 Feb 2009 20:38:28 +0000 https://inliniac.net/blog/2009/02/28/oisf-engine-prototype-threading/ <p>In Januari I first wrote about my prototype code for the OISF engine. The first thing I started with when creating the code was the threading. The current code can run as a single thread or with many threads. In my normal testing I run with about 11 threads, 10 of which handle packets, 1 is a management thread.</p> <p>The basic principle in the threading is that a packet is always handled by one thread at a time only. The reason for this is that it saves a lot of locking issues. If there is more than one thread, the engine can handle multiple packete simultaniously.</p> https://inliniac.net/blog/2009/01/07/oisf-ids-ips-engine-prototype-intro/ Wed, 07 Jan 2009 11:24:07 +0000 https://inliniac.net/blog/2009/01/07/oisf-ids-ips-engine-prototype-intro/ <p>For over a year I&rsquo;ve been working on a prototype implementation of a new IDS/IPS engine for the <a href="http://www.openinfosecfoundation.org/">Open Infosec Foundation</a>. This is not necessarily going to be the engine we&rsquo;ll be using in OISF, although it&rsquo;s likely that at least some of the code will be used. Discussions about features for the engine are still ongoing ( <a href="http://doc.emergingthreats.net/bin/view/Main/EngineFeatures">wiki</a>, <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion">list</a>), once that settles down we&rsquo;ll see whats usable and whats not. In the worst case I still think many parts like hashing functions, pattern matcher implementations, protocol decoders, etc can be used.</p> https://inliniac.net/blog/2009/01/05/available-for-contract-work/ Mon, 05 Jan 2009 13:26:06 +0000 https://inliniac.net/blog/2009/01/05/available-for-contract-work/ <p>This year there will be a lot of work that needs to be done for the <a href="http://www.openinfosecfoundation.org/">Open Infosec Foundation</a>. And like I wrote a few days ago, a lot of work is already being done. However, most of it is unpaid at this time as it will be some months before our funding comes in. So at least until then I&rsquo;m available and looking for contract work.</p> <p>For the last two years I&rsquo;ve been doing work as a contractor in the (open source) security field. My experience is mostly in coding in C and Perl, primarily on <a href="http://www.snort.org/">Snort</a> and <a href="http://snort-inline.sf.net/">Snort_inline</a>. Recently I created the (Perl language) <a href="http://doc.emergingthreats.net/bin/view/Main/SidReporter">SidReporter</a> program for <a href="http://www.emergingthreats.net/">Emerging Threats</a>. Areas I worked in: IPv6 IDS/IPS coding, signature writing, Web Application Firewalls, threading, bandwidth accounting, and more&hellip;</p> https://inliniac.net/blog/2008/12/29/looking-forward-to-2009-open-infosec-foundation/ Mon, 29 Dec 2008 12:15:20 +0000 https://inliniac.net/blog/2008/12/29/looking-forward-to-2009-open-infosec-foundation/ <p>The year 2008 was an exciting year to me. The biggest thing going on the infosec side was the formation of the Open Infosec Foundation. We&rsquo;ve been working on it behind the scenes for more than a year now, and it&rsquo;s cool that we&rsquo;ve finally announced our plans. Of course, the work is just getting started. Next year, we expect to finalize our foundation setup. We&rsquo;re working with the Software Freedom Law Center for setting up the foundation charter and consortium rules. While the US government is funding us initially, we hope the consortium will guarantee our long term funding. We are talking to some interesting companies already, both big and small.</p> https://inliniac.net/blog/2008/11/30/deepsec/ Sun, 30 Nov 2008 09:57:42 +0000 https://inliniac.net/blog/2008/11/30/deepsec/ <p>Last month I attended the DeepSec conference in Vienna. I enjoyed it a great deal. It was good to be back in Vienna. Had a few good meetings with my friend Adi with who I work on the Vuurmuur project.</p> <p>I assisted Matt Jonkman in his Snort Signature writing class. We had a nice group of people and using the Emerging Threats SandNet we could deal with pretty interesting samples to write signatures for. Even though my expertise is more on the code level of Snort I felt I could still contribute something to the sessions.</p> https://inliniac.net/blog/2008/10/23/first-oisf-brainstorming-session-on-deepsec/ Thu, 23 Oct 2008 09:02:21 +0000 https://inliniac.net/blog/2008/10/23/first-oisf-brainstorming-session-on-deepsec/ <p>Next November I will be attending <a href="http://deepsec.net">Deepsec</a> in Vienna. Matt Jonkman is giving a workshop there and I will be helping/assisting him with it, it&rsquo;s called &lsquo;Protocol Analysis for Writing Snort Signatures&rsquo;. If you&rsquo;re interested, sign up for it! While we are there we will also host the first brainstorming session for <a href="http://www.openinfosecfoundation.org/">OISF</a>. The idea is to get together with everyone thats interested and talk about how our next generation IDS/IPS should look like. But it&rsquo;s not just about the technology, we also seek input about how to organize the project, about licensing, etc. So if you&rsquo;re at Deepsec and got some time to spare, be sure to join us in the brainstorming session!</p> https://inliniac.net/blog/2008/10/18/open-infosec-foundation-founded/ Fri, 17 Oct 2008 22:07:59 +0000 https://inliniac.net/blog/2008/10/18/open-infosec-foundation-founded/ <p>Last week Matt Jonkman announced the formation of the <a href="http://www.openinfosecfoundation.org/">Open Infosec Foundation</a>. This foundation has been grant funded to create a new open source IDS/IPS engine. Together with Will Metcalf and of course Matt himself, I will be working on this. We want this to be a real community effort where there is a role for everyone in the infosec community. Developers, admins, vendors, goverments, research, education, everyone. There is a lot of work ahead, but that should be great fun and very inspiring. So far things are interesting already. The <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion">discussion mailinglist</a> is growing rapidly with many ppl from the community and industry. A #oisf IRC channel was created today on freenode. Join us there to participate in discussion about this project!</p>