Inliniac

Disclaimer: this work was sponsored by Emerging Threats Pro.

value = hash_lookup(hashtable, key)
if (!value) {
    hash_insert(hashtable, key, somevalue);
}

mkdir ~/tmp/fuzz
git clone https://github.com/inliniac/suricata -b dev-afl-v5
cd suricata
git clone https://github.com/OISF/libhtp -b 0.5.x
bash autogen.sh
export CFLAGS="-fsanitize=address"
export AFLDIR=/opt/afl-1.96b/bin/
export CC="${AFLDIR}/afl-gcc"
export CXX="${AFLDIR}/afl-g++"
./configure --disable-shared --sysconfdir=/etc --enable-afl

wget http://www.canonware.com/download/jemalloc/jemalloc-3.6.0.tar.bz2
tar xvfj jemalloc-3.6.0.tar.bz2
cd jemalloc-3.6.0
./configure --prefix=/opt/jemalloc/
make
sudo make install

LD_PRELOAD=/opt/jemalloc/lib/libjemalloc.so ./src/suricata -c suricata.yaml -l tmp/ -r ~/sync/pcap/sandnet.pcap -S emerging-all.rules -v

alert tls any any -> any any ( \
    msg:"TLS HEARTBLEED malformed heartbeat record"; \
    flow:established,to_server; dsize:>7; \
    content:"|18 03|"; depth:2; lua:tls-heartbleed.lua; \
    classtype:misc-attack; sid:3000001; rev:1;)

582 files changed, 94782 insertions(+), 63243 deletions(-)

ERROR: This version of tcl was compile with threading enabled. Sguil is NOT compatible with threading.

profiling:
  # per keyword profiling
  keywords:
    enabled: yes
    filename: keyword_perf.log
    append: yes

--------------------------------------------------------------------------
Date: 11/7/2013 -- 15:13:11
--------------------------------------------------------------------------
Stats for: total
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- -----------
threshold        355324491   190574   409      72276       1864.00     3625.00     1860.00
content          1274592063  534328   196738   312321      2385.00     2424.00     2362.00
pcre             56626031    11149    824      254562      5079.00     12234.00    4507.00
byte_test        153287955   128254   32109    67989       1195.00     1658.00     1040.00
byte_jump        3676404     2041     2041     15939       1801.00     1801.00     0.00
flow             38276182    22842    22842    63987       1675.00     1675.00     0.00
isdataat         580764      558      556      2427        1040.00     1040.00     1017.00
dsize            2212029     2062     2061     3711        1072.00     1072.00     789.00
flowbits         1677209     874      870      9873        1919.00     1923.00     884.00
itype            1653        2        1        1386        826.00      267.00      1386.00
icode            27383781    93827    2        25545       291.00      1021.00     291.00
flags            192751968   245519   189709   255639      785.00      753.00      892.00
urilen           6149297     6142     1099     28299       1001.00     1395.00     915.00
byte_extract     143091      78       78       7743        1834.00     1834.00     0.00
--------------------------------------------------------------------------
Stats for: packet
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- -----------
flow             38276182    22842    22842    63987       1675.00     1675.00     0.00
dsize            2212029     2062     2061     3711        1072.00     1072.00     789.00
flowbits         351171      294      290      5526        1194.00     1198.00     884.00
itype            1653        2        1        1386        826.00      267.00      1386.00
icode            27383781    93827    2        25545       291.00      1021.00     291.00
flags            192751968   245519   189709   255639      785.00      753.00      892.00
--------------------------------------------------------------------------
Stats for: packet/stream payload
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- -----------
content          1203990910  512902   183628   312321      2347.00     2365.00     2337.00
pcre             28087301    6598     54       254562      4256.00     12279.00    4190.00
byte_test        153287955   128254   32109    67989       1195.00     1658.00     1040.00
byte_jump        3676404     2041     2041     15939       1801.00     1801.00     0.00
isdataat         578172      556      554      2427        1039.00     1039.00     1017.00
byte_extract     143091      78       78       7743        1834.00     1834.00     0.00
--------------------------------------------------------------------------
Stats for: http uri
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- -----------
content          44775802    13102    8351     60993       3417.00     3257.00     3698.00
pcre             18284421    3646     97       61338       5014.00     8916.00     4908.00
isdataat         2592        2        2        1725        1296.00     1296.00     0.00
urilen           6149297     6142     1099     28299       1001.00     1395.00     915.00
--------------------------------------------------------------------------
Stats for: http raw uri
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- -----------
pcre             9534        2        0        4953        4767.00     0.00        4767.00
--------------------------------------------------------------------------
Stats for: http client body
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- -----------
content          1556904     441      181      58476       3530.00     2874.00     3986.00
pcre             63924       6        6        17358       10654.00    10654.00    0.00
--------------------------------------------------------------------------
Stats for: http headers
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- -----------
content          23688244    7631     4348     31098       3104.00     3311.00     2829.00
pcre             9998970     859      667      71904       11640.00    12727.00    7862.00
--------------------------------------------------------------------------
Stats for: http stat code
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- -----------
content          80052       39       20       3699        2052.00     2199.00     1898.00
--------------------------------------------------------------------------
Stats for: http method
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- -----------
content          476334      203      201      27240       2346.00     2351.00     1846.00
--------------------------------------------------------------------------
Stats for: http cookie
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- -----------
content          23817       10       9        2763        2381.00     2384.00     2358.00
pcre             181881      38       0        13095       4786.00     0.00        4786.00
--------------------------------------------------------------------------
Stats for: post-match
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- -----------
flowbits         1326038     580      580      9873        2286.00     2286.00     0.00
--------------------------------------------------------------------------
Stats for: threshold
--------------------------------------------------------------------------
Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
---------------- ----------- -------- -------- ----------- ----------- ----------- -----------
threshold        355324491   190574   409      72276       1864.00     3625.00     1860.00

$ bash autogen.sh
Found libtoolize
Remember to add `AC_PROG_LIBTOOL' to `configure.ac'.
libtoolize: `config.guess' exists: use `--force' to overwrite
libtoolize: `config.sub' exists: use `--force' to overwrite
libtoolize: `ltmain.sh' exists: use `--force' to overwrite
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
configure.ac:1: error: m4_defn: undefined macro: _m4_divert_diversion
configure.ac:1: the top level
autom4te: /usr/bin/m4 failed with exit status: 1
aclocal: autom4te failed with exit status: 1
autoreconf: aclocal failed with exit status: 1

    a = ScFlowintIncr(0)

234 files changed, 5033 insertions(+), 3759 deletions(-)

We'll be having a public forum and brainstorming session in Washington
DC on July 16th, 2009! This session will be a mix of technical and
political issues.

We encourage our current and potential consortium members, potential
users and resellers, as well as future end users to attend. We very much
want to hear from all in a discussion format what is most important to
you, and what you need to have in the next iteration of IDS. The
discussion on the lists has been great, but most often even better
things come to life when a lot of smart folks are in the same room at
the same time, as we've seen at our prior brainstorming sessions.

We'll be getting quite technical, but we'll also answer any and every
question about the politics, goals, and funding sources of the
foundation. We know this is a very strange situation we have, being
funded by DHS to create open source security software.

So please plan to attend, July 16th in Washington DC, at the SRI
Building in Rosslyn:
http://www.sri.com/contact/wdc.html

If you plan to or are rather sure you'll be there please drop an email
to Matt Jonkman, we need an approximate headcount for the
catering, provided courtesy of SRI.

If you can't make this one don't worry, we are planning similar meetings
through the development cycle on the west coast and in Europe. We want
to hear every idea we can get!

List,

I know it has been a long time since we have had a non-beta release,
but what can I say? Victor and I have both been busy in our personal
and professional lives. If you have been running the version of code
in SVN, there are no major updates with this release other than a
memleak fix for stream4inline. I don't think this gets said often
enough, so I would like to thank Sourcefire for all the hard work they
put into snort and the snort rule sets for which I and the rest of the
community greatly benefit.

Regards,

Will

snort_inline-2.6.1.5
http://snort-inline.sourceforge.net/download.html

Differences between snort in inline mode and snort_inline
http://www.inliniac.net/blog/?p=74

Inliniac

Vuurmuur 0.8.2 release; development update

Blog Moved to Hugo

Vuurmuur 0.8 has been released

Learning Rust: hash map lookup/insert pattern

Vuurmuur Development Update

Suricata bits, ints and vars

Fuzzing Suricata with pcaps

Fuzzing Suricata with AFL

Suricata 3.0 is out!

New Suricata release model

Get paid to work on Suricata?

Domain back up

Suricata has been added to Debian Backports

Profiling Suricata with JEMALLOC

Crossing the Streams in Suricata

SMTP file extraction in Suricata

Suricata Training Tour

detecting: malloc(-1) or malloc(0xffffffff)

Suricata Flow Logging

Detecting OpenSSL Heartbleed with Suricata

LUA

Video: Suricata 2.0 installation and quick setup

Suricata 2.0 and beyond

tcpreplay on Intel 82576

Disabling Threading in Tcl8.5 in Debian

Suricata Development Update

GPG key update

Suricata profiling per keyword

Attending Hack.lu with the Suricata team

Fixing "error: m4_defn: undefined macro: _m4_divert_diversion"

More on Suricata lua flowints

Suricata Lua scripting flowint access

Suricata: Handling of multiple different SYN/ACKs

Suricata Lua scripting flowvar access

Major Suricata 1.4 update

Vuurmuur 0.8rc1 released

On Suricata 1.3, 1.4 and "next"

Suricata 1.4 is out

Suricata 1.4.1 is out

IPv6 Evasions, Scanners and the importance of staying current

Closing in on Suricata 1.4

IP Reputation in Suricata

Important Suricata update

Interview about Suricata on security.nl

Setting up an IPS with Fedora 17, Suricata and Vuurmuur

Suricata 1.4 development update

Suricata 1.3.2 is out

Suricata luajit update

First impressions of lua(jit) performance in Suricata

Suricata lua continued

First beta for Suricata 1.4

Suricata development training update

Suricata lua (jit) script keyword

Vuurmuur 0.8beta4 released

Suricata 1.3.1 is out

Suricata development training

Suricata on Myricom capture cards

Suricata http_user_agent vs http_header

Suricata 1.3 released

Suricata MD5 blacklisting

Suricata scaling improvements

Suricata runmode changes

Hello Planet!

F-Secure AV updates and Suricata IPS

Recovering the email/username in Snorby

HTTP parsing events in Suricata

Suricata 1.1.1 released

File extraction in Suricata

Suricata 1.1 released, 1.2 on the horizon

Suricata and PCRE performance

RAID 2011 Thoughts

Upgrading Sguil 0.7.0 to 0.8.0 from CVS

Vuurmuur IPv6

Suricata IPS improvements

One year of (public) Suricata

Listening on multiple interfaces with Suricata

Suricata 1.1 beta 1 released

Suricata development update

Speeding up Suricata with tcmalloc