The Dutch security site security.nl has interviewed me about the Suricata IDS project. The two part (Dutch language) article can be found here and part two here. Thanks to Joran Polak of security.nl for giving me the opportunity to tell something about this project!
I recently found out that Fedora includes Vuurmuur in it’s repositories. Since Suricata is also included, I figured I would do a quick write up on how to setup a Fedora IPS. While writing it turned more into a real “howto”, so I decided to submit it to Howtoforge. It can be found here one HowtoForge. Vuurmuur on Fedora is at the 0.7 version, which is still the current stable. It’s rather old though, and it reminds me again I need to make sure the 0.8 branch gets to a stable release soon. The Suricata included in Fedora 17 is 1.2.1, with 1.3.2 expected to land any day now. ...
Today, a day after 1.3.2, we’ve released 1.4beta2. While 1.3.2 is an important update for those running 1.3.1 or lower, today’s release is where things get exciting. A lot of things were improved and added. Let me show some numbers first. The 1.4beta2 release is a pretty big update over 1.4beta1 as it touches over 5k lines of code: 234 files changed, 5033 insertions(+), 3759 deletions(-) Compared to 1.4beta2 vs yesterday’s 1.3.2 it’s clear over 11k lines of code are touched: ...
Today we released Suricata 1.3.2. Not a big update, but there are some important fixes in the stream engine, fast_pattern:chop handling, HTTP multipart parsing and the flow keyword with “nostream”. As the diff stat output shows, it’s a rather light maintenance update over 1.3.1: [sourcecode] ChangeLog | 12 ++ libhtp/configure.ac | 2 +- libhtp/htp.pc.in | 2 +- libhtp/htp/htp.h | 2 +- src/app-layer-htp-file.c | 145 ++++++++++++++++++++++++ src/app-layer-htp.c | 192 ++++++++++++++++++++++++++—— src/decode.c | 3 + src/decode.h | 1 + src/defrag.c | 4 +- src/detect-engine-content-inspection.c | 9 – src/detect-flow.c | 68 ++++++++++- src/source-af-packet.c | 9 ++ src/source-ipfw.c | 13 ++- src/source-pfring.c | 28 ++— src/stream-tcp-reassemble.c | 1 + src/util-cpu.c | 10 +- 16 files changed, 435 insertions(+), 66 deletions(-) [/sourcecode] ...
After an exciting week of meeting and working with the team around the RAID conference, time for another lua update. The keyword supports an interesting set of buffers now: packet payload http.uri http.uri.raw http.request_line http.request_headers http.request_headers.raw http.request_cookie http.request_user_agent http.request_body http.response_headers http.response_headers.raw http.response_body http.response_cookie The http keywords are now integrated into their respective inspection engines. This led to one important limitation for now: you can only inspect one such buffer per script. ...
Today I decided to look into the potential performance of the luajit keyword a bit. It’s important to know if this can perform at reasonable speeds so that we can actually use it in real deployments. Even if we can’t the feature may still be appealing though, for offline pcap analysis. So far, the results are rather encouraging. First, I added 2 buffers today: http.uri, which contains the normalized uri (same buffer as the http_uri content modifier inspects) and http.request_line, which is the request line given to us by libhtp. This contains method, separators, uri, HTTP version. ...
Today I improved the lua jit support in Suricata further. The scripts will now need to express their “needs” through an “init” function in the script that is called only at Suricata startup. The “init” function fills a lua table. This will allow the user to indicate what buffers the script needs to inspect. The script will then only be invoked when these buffers are actually available, so the script won’t have to worry about whether or not some data is unavailable or not. Also, only these buffers are passed to the script, so safing the overhead of copying unnecessary buffers. ...
The first test release for the new Suricata 1.4 branch as just been released. Some really exciting stuff was added. Let me highlight some of it: AF_PACKET IPS mode: Eric Leblond has been working on extending the passive AF_PACKET support to support IPS as well. Eric has documented the new feature on his blog. TLS logging and certificate storage: created by contributor Jean-Paul Roliers under guidance of Eric Leblond. As a bonus, a rule keyword to match on certifcate fingerprints. ...
The Suricata development training at RAID 2012 next week is going to happen, so please all RSVP. It’s free! If you’re planning to attend, please let me know what topics you are interested in. We have core devs in the room, so we can go hardcore on everything from the threading to packet capture to CUDA to pattern matching… also more straightforward stuff like extending Suricata with new keywords, log modules, etc. ...
So Will started bugging me (again) on doing scripting from Suricata and I gave in. Just committed extremely immature, incomplete, experimental luajit scripting support. What it does is that it adds a new keyword, “luajit”. There is one argument, a script name. That script is then loaded from your rules directory and ran against a packet. No flow, http or any of that right now, just packets. Example rule: alert tcp any any -> any any (msg:"LUAJIT test"; luajit:test.lua; sid:1;) ...