https://inliniac.net/blog/tag/emerging-threats/ Recent content in Emerging-Threats on Inliniac Hugo en Thu, 07 Nov 2013 14:37:04 +0000 https://inliniac.net/blog/2013/11/07/suricata-profiling-per-keyword/ Thu, 07 Nov 2013 14:37:04 +0000 https://inliniac.net/blog/2013/11/07/suricata-profiling-per-keyword/ <p>Last week I&rsquo;ve added some more profiling options to Suricata. It&rsquo;s part of the current git master. It&rsquo;s enabled only when <code>--enable-profiling</code> and then through the suricata.yaml:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>profiling: </span></span><span style="display:flex;"><span> # per keyword profiling </span></span><span style="display:flex;"><span> keywords: </span></span><span style="display:flex;"><span> enabled: yes </span></span><span style="display:flex;"><span> filename: keyword_perf.log </span></span><span style="display:flex;"><span> append: yes </span></span></code></pre></div><p>This will output a table similar to below:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Date: <span style="color:#ae81ff">11</span><span style="color:#f92672">/</span><span style="color:#ae81ff">7</span><span style="color:#f92672">/</span><span style="color:#ae81ff">2013</span> <span style="color:#f92672">--</span> <span style="color:#ae81ff">15</span>:<span style="color:#ae81ff">13</span>:<span style="color:#ae81ff">11</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: total </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>threshold <span style="color:#ae81ff">355324491</span> <span style="color:#ae81ff">190574</span> <span style="color:#ae81ff">409</span> <span style="color:#ae81ff">72276</span> <span style="color:#ae81ff">1864.00</span> <span style="color:#ae81ff">3625.00</span> <span style="color:#ae81ff">1860.00</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">1274592063</span> <span style="color:#ae81ff">534328</span> <span style="color:#ae81ff">196738</span> <span style="color:#ae81ff">312321</span> <span style="color:#ae81ff">2385.00</span> <span style="color:#ae81ff">2424.00</span> <span style="color:#ae81ff">2362.00</span> </span></span><span style="display:flex;"><span>pcre <span style="color:#ae81ff">56626031</span> <span style="color:#ae81ff">11149</span> <span style="color:#ae81ff">824</span> <span style="color:#ae81ff">254562</span> <span style="color:#ae81ff">5079.00</span> <span style="color:#ae81ff">12234.00</span> <span style="color:#ae81ff">4507.00</span> </span></span><span style="display:flex;"><span>byte_test <span style="color:#ae81ff">153287955</span> <span style="color:#ae81ff">128254</span> <span style="color:#ae81ff">32109</span> <span style="color:#ae81ff">67989</span> <span style="color:#ae81ff">1195.00</span> <span style="color:#ae81ff">1658.00</span> <span style="color:#ae81ff">1040.00</span> </span></span><span style="display:flex;"><span>byte_jump <span style="color:#ae81ff">3676404</span> <span style="color:#ae81ff">2041</span> <span style="color:#ae81ff">2041</span> <span style="color:#ae81ff">15939</span> <span style="color:#ae81ff">1801.00</span> <span style="color:#ae81ff">1801.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span>flow <span style="color:#ae81ff">38276182</span> <span style="color:#ae81ff">22842</span> <span style="color:#ae81ff">22842</span> <span style="color:#ae81ff">63987</span> <span style="color:#ae81ff">1675.00</span> <span style="color:#ae81ff">1675.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span>isdataat <span style="color:#ae81ff">580764</span> <span style="color:#ae81ff">558</span> <span style="color:#ae81ff">556</span> <span style="color:#ae81ff">2427</span> <span style="color:#ae81ff">1040.00</span> <span style="color:#ae81ff">1040.00</span> <span style="color:#ae81ff">1017.00</span> </span></span><span style="display:flex;"><span>dsize <span style="color:#ae81ff">2212029</span> <span style="color:#ae81ff">2062</span> <span style="color:#ae81ff">2061</span> <span style="color:#ae81ff">3711</span> <span style="color:#ae81ff">1072.00</span> <span style="color:#ae81ff">1072.00</span> <span style="color:#ae81ff">789.00</span> </span></span><span style="display:flex;"><span>flowbits <span style="color:#ae81ff">1677209</span> <span style="color:#ae81ff">874</span> <span style="color:#ae81ff">870</span> <span style="color:#ae81ff">9873</span> <span style="color:#ae81ff">1919.00</span> <span style="color:#ae81ff">1923.00</span> <span style="color:#ae81ff">884.00</span> </span></span><span style="display:flex;"><span>itype <span style="color:#ae81ff">1653</span> <span style="color:#ae81ff">2</span> <span style="color:#ae81ff">1</span> <span style="color:#ae81ff">1386</span> <span style="color:#ae81ff">826.00</span> <span style="color:#ae81ff">267.00</span> <span style="color:#ae81ff">1386.00</span> </span></span><span style="display:flex;"><span>icode <span style="color:#ae81ff">27383781</span> <span style="color:#ae81ff">93827</span> <span style="color:#ae81ff">2</span> <span style="color:#ae81ff">25545</span> <span style="color:#ae81ff">291.00</span> <span style="color:#ae81ff">1021.00</span> <span style="color:#ae81ff">291.00</span> </span></span><span style="display:flex;"><span>flags <span style="color:#ae81ff">192751968</span> <span style="color:#ae81ff">245519</span> <span style="color:#ae81ff">189709</span> <span style="color:#ae81ff">255639</span> <span style="color:#ae81ff">785.00</span> <span style="color:#ae81ff">753.00</span> <span style="color:#ae81ff">892.00</span> </span></span><span style="display:flex;"><span>urilen <span style="color:#ae81ff">6149297</span> <span style="color:#ae81ff">6142</span> <span style="color:#ae81ff">1099</span> <span style="color:#ae81ff">28299</span> <span style="color:#ae81ff">1001.00</span> <span style="color:#ae81ff">1395.00</span> <span style="color:#ae81ff">915.00</span> </span></span><span style="display:flex;"><span>byte_extract <span style="color:#ae81ff">143091</span> <span style="color:#ae81ff">78</span> <span style="color:#ae81ff">78</span> <span style="color:#ae81ff">7743</span> <span style="color:#ae81ff">1834.00</span> <span style="color:#ae81ff">1834.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: packet </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>flow <span style="color:#ae81ff">38276182</span> <span style="color:#ae81ff">22842</span> <span style="color:#ae81ff">22842</span> <span style="color:#ae81ff">63987</span> <span style="color:#ae81ff">1675.00</span> <span style="color:#ae81ff">1675.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span>dsize <span style="color:#ae81ff">2212029</span> <span style="color:#ae81ff">2062</span> <span style="color:#ae81ff">2061</span> <span style="color:#ae81ff">3711</span> <span style="color:#ae81ff">1072.00</span> <span style="color:#ae81ff">1072.00</span> <span style="color:#ae81ff">789.00</span> </span></span><span style="display:flex;"><span>flowbits <span style="color:#ae81ff">351171</span> <span style="color:#ae81ff">294</span> <span style="color:#ae81ff">290</span> <span style="color:#ae81ff">5526</span> <span style="color:#ae81ff">1194.00</span> <span style="color:#ae81ff">1198.00</span> <span style="color:#ae81ff">884.00</span> </span></span><span style="display:flex;"><span>itype <span style="color:#ae81ff">1653</span> <span style="color:#ae81ff">2</span> <span style="color:#ae81ff">1</span> <span style="color:#ae81ff">1386</span> <span style="color:#ae81ff">826.00</span> <span style="color:#ae81ff">267.00</span> <span style="color:#ae81ff">1386.00</span> </span></span><span style="display:flex;"><span>icode <span style="color:#ae81ff">27383781</span> <span style="color:#ae81ff">93827</span> <span style="color:#ae81ff">2</span> <span style="color:#ae81ff">25545</span> <span style="color:#ae81ff">291.00</span> <span style="color:#ae81ff">1021.00</span> <span style="color:#ae81ff">291.00</span> </span></span><span style="display:flex;"><span>flags <span style="color:#ae81ff">192751968</span> <span style="color:#ae81ff">245519</span> <span style="color:#ae81ff">189709</span> <span style="color:#ae81ff">255639</span> <span style="color:#ae81ff">785.00</span> <span style="color:#ae81ff">753.00</span> <span style="color:#ae81ff">892.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: packet<span style="color:#f92672">/</span>stream payload </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">1203990910</span> <span style="color:#ae81ff">512902</span> <span style="color:#ae81ff">183628</span> <span style="color:#ae81ff">312321</span> <span style="color:#ae81ff">2347.00</span> <span style="color:#ae81ff">2365.00</span> <span style="color:#ae81ff">2337.00</span> </span></span><span style="display:flex;"><span>pcre <span style="color:#ae81ff">28087301</span> <span style="color:#ae81ff">6598</span> <span style="color:#ae81ff">54</span> <span style="color:#ae81ff">254562</span> <span style="color:#ae81ff">4256.00</span> <span style="color:#ae81ff">12279.00</span> <span style="color:#ae81ff">4190.00</span> </span></span><span style="display:flex;"><span>byte_test <span style="color:#ae81ff">153287955</span> <span style="color:#ae81ff">128254</span> <span style="color:#ae81ff">32109</span> <span style="color:#ae81ff">67989</span> <span style="color:#ae81ff">1195.00</span> <span style="color:#ae81ff">1658.00</span> <span style="color:#ae81ff">1040.00</span> </span></span><span style="display:flex;"><span>byte_jump <span style="color:#ae81ff">3676404</span> <span style="color:#ae81ff">2041</span> <span style="color:#ae81ff">2041</span> <span style="color:#ae81ff">15939</span> <span style="color:#ae81ff">1801.00</span> <span style="color:#ae81ff">1801.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span>isdataat <span style="color:#ae81ff">578172</span> <span style="color:#ae81ff">556</span> <span style="color:#ae81ff">554</span> <span style="color:#ae81ff">2427</span> <span style="color:#ae81ff">1039.00</span> <span style="color:#ae81ff">1039.00</span> <span style="color:#ae81ff">1017.00</span> </span></span><span style="display:flex;"><span>byte_extract <span style="color:#ae81ff">143091</span> <span style="color:#ae81ff">78</span> <span style="color:#ae81ff">78</span> <span style="color:#ae81ff">7743</span> <span style="color:#ae81ff">1834.00</span> <span style="color:#ae81ff">1834.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: http uri </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">44775802</span> <span style="color:#ae81ff">13102</span> <span style="color:#ae81ff">8351</span> <span style="color:#ae81ff">60993</span> <span style="color:#ae81ff">3417.00</span> <span style="color:#ae81ff">3257.00</span> <span style="color:#ae81ff">3698.00</span> </span></span><span style="display:flex;"><span>pcre <span style="color:#ae81ff">18284421</span> <span style="color:#ae81ff">3646</span> <span style="color:#ae81ff">97</span> <span style="color:#ae81ff">61338</span> <span style="color:#ae81ff">5014.00</span> <span style="color:#ae81ff">8916.00</span> <span style="color:#ae81ff">4908.00</span> </span></span><span style="display:flex;"><span>isdataat <span style="color:#ae81ff">2592</span> <span style="color:#ae81ff">2</span> <span style="color:#ae81ff">2</span> <span style="color:#ae81ff">1725</span> <span style="color:#ae81ff">1296.00</span> <span style="color:#ae81ff">1296.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span>urilen <span style="color:#ae81ff">6149297</span> <span style="color:#ae81ff">6142</span> <span style="color:#ae81ff">1099</span> <span style="color:#ae81ff">28299</span> <span style="color:#ae81ff">1001.00</span> <span style="color:#ae81ff">1395.00</span> <span style="color:#ae81ff">915.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: http raw uri </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>pcre <span style="color:#ae81ff">9534</span> <span style="color:#ae81ff">2</span> <span style="color:#ae81ff">0</span> <span style="color:#ae81ff">4953</span> <span style="color:#ae81ff">4767.00</span> <span style="color:#ae81ff">0.00</span> <span style="color:#ae81ff">4767.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: http client body </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">1556904</span> <span style="color:#ae81ff">441</span> <span style="color:#ae81ff">181</span> <span style="color:#ae81ff">58476</span> <span style="color:#ae81ff">3530.00</span> <span style="color:#ae81ff">2874.00</span> <span style="color:#ae81ff">3986.00</span> </span></span><span style="display:flex;"><span>pcre <span style="color:#ae81ff">63924</span> <span style="color:#ae81ff">6</span> <span style="color:#ae81ff">6</span> <span style="color:#ae81ff">17358</span> <span style="color:#ae81ff">10654.00</span> <span style="color:#ae81ff">10654.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: http headers </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">23688244</span> <span style="color:#ae81ff">7631</span> <span style="color:#ae81ff">4348</span> <span style="color:#ae81ff">31098</span> <span style="color:#ae81ff">3104.00</span> <span style="color:#ae81ff">3311.00</span> <span style="color:#ae81ff">2829.00</span> </span></span><span style="display:flex;"><span>pcre <span style="color:#ae81ff">9998970</span> <span style="color:#ae81ff">859</span> <span style="color:#ae81ff">667</span> <span style="color:#ae81ff">71904</span> <span style="color:#ae81ff">11640.00</span> <span style="color:#ae81ff">12727.00</span> <span style="color:#ae81ff">7862.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: http stat code </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">80052</span> <span style="color:#ae81ff">39</span> <span style="color:#ae81ff">20</span> <span style="color:#ae81ff">3699</span> <span style="color:#ae81ff">2052.00</span> <span style="color:#ae81ff">2199.00</span> <span style="color:#ae81ff">1898.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: http method </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">476334</span> <span style="color:#ae81ff">203</span> <span style="color:#ae81ff">201</span> <span style="color:#ae81ff">27240</span> <span style="color:#ae81ff">2346.00</span> <span style="color:#ae81ff">2351.00</span> <span style="color:#ae81ff">1846.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: http cookie </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>content <span style="color:#ae81ff">23817</span> <span style="color:#ae81ff">10</span> <span style="color:#ae81ff">9</span> <span style="color:#ae81ff">2763</span> <span style="color:#ae81ff">2381.00</span> <span style="color:#ae81ff">2384.00</span> <span style="color:#ae81ff">2358.00</span> </span></span><span style="display:flex;"><span>pcre <span style="color:#ae81ff">181881</span> <span style="color:#ae81ff">38</span> <span style="color:#ae81ff">0</span> <span style="color:#ae81ff">13095</span> <span style="color:#ae81ff">4786.00</span> <span style="color:#ae81ff">0.00</span> <span style="color:#ae81ff">4786.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: post<span style="color:#f92672">-</span>match </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>flowbits <span style="color:#ae81ff">1326038</span> <span style="color:#ae81ff">580</span> <span style="color:#ae81ff">580</span> <span style="color:#ae81ff">9873</span> <span style="color:#ae81ff">2286.00</span> <span style="color:#ae81ff">2286.00</span> <span style="color:#ae81ff">0.00</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Stats <span style="color:#66d9ef">for</span>: threshold </span></span><span style="display:flex;"><span><span style="color:#f92672">--------------------------------------------------------------------------</span> </span></span><span style="display:flex;"><span>Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match </span></span><span style="display:flex;"><span><span style="color:#f92672">----------------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">--------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> <span style="color:#f92672">-----------</span> </span></span><span style="display:flex;"><span>threshold <span style="color:#ae81ff">355324491</span> <span style="color:#ae81ff">190574</span> <span style="color:#ae81ff">409</span> <span style="color:#ae81ff">72276</span> <span style="color:#ae81ff">1864.00</span> <span style="color:#ae81ff">3625.00</span> <span style="color:#ae81ff">1860.00</span> </span></span></code></pre></div><p>The first part has the totals for all keywords. After this the stats are broken down per buffer type.</p> https://inliniac.net/blog/2013/04/23/more-on-suricata-lua-flowints/ Tue, 23 Apr 2013 10:17:52 +0000 https://inliniac.net/blog/2013/04/23/more-on-suricata-lua-flowints/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/lua.gif" alt="">This morning I added flowint lua functions for incrementing and decrementing flowints. From the <a href="https://github.com/inliniac/suricata/commit/9571091e53a2103cbc9926242fa2cb003eb412ec">commit</a>:</p> <blockquote> <p>Add flowint lua functions for incrementing and decrementing flowints.</p> <p>First use creates the var and inits to 0. So a call:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span> a = ScFlowintIncr(0) </span></span></code></pre></div><p>Results in a == 1.</p> <p>If the var reached UINT_MAX (2^32), it&rsquo;s not further incremented. If the var reaches 0 it&rsquo;s not decremented further.</p> <p>Calling ScFlowintDecr on a uninitialized var will init it to 0.</p> https://inliniac.net/blog/2013/04/22/suricata-lua-scripting-flowint-access/ Mon, 22 Apr 2013 16:16:30 +0000 https://inliniac.net/blog/2013/04/22/suricata-lua-scripting-flowint-access/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/lua.gif" alt="">A few days ago I wrote about my Emerging Threats sponsored <a href="https://inliniac.net/blog/2013/04/18/suricata-lua-scripting-flowvar-access/" title="Suricata Lua scripting flowvar access">work</a> to support flowvars from Lua scripts in Suricata.</p> <p>Today, I updated that support. Flowvar &lsquo;sets&rsquo; are now real time. This was needed to fix some issues where a script was invoked multiple times in single rule, which can happen with some buffers, like HTTP headers.</p> <p>Also, I implemented flowint support. Flowints in Suricata are integers stored in the flow context.</p> https://inliniac.net/blog/2013/04/18/suricata-lua-scripting-flowvar-access/ Thu, 18 Apr 2013 16:36:56 +0000 https://inliniac.net/blog/2013/04/18/suricata-lua-scripting-flowvar-access/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/09/lua.gif" alt="">Funded by Emerging Threats, I&rsquo;ve been working on giving the lua scripts access to flowvars.</p> <p>Currently only &ldquo;flowvars&rdquo; are done, &ldquo;flowints&rdquo; will be next. Please review the code at: <a href="https://github.com/inliniac/suricata/tree/dev-lua-flowvar">https://github.com/inliniac/suricata/tree/dev-lua-flowvar</a></p> <p>Pcre based flowvar capturing is done in a post-match fashion. If the rule containing the &ldquo;capture&rdquo; matches, the var is stored in the flow.</p> <p>For lua scripting, this wasn&rsquo;t what the rule writers wanted. In this case, the flowvars are stored in the flow regardless of a rule match.</p> https://inliniac.net/blog/2012/11/29/closing-in-on-suricata-1-4/ Thu, 29 Nov 2012 16:50:15 +0000 https://inliniac.net/blog/2012/11/29/closing-in-on-suricata-1-4/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png" alt="">I just made <a href="http://suricata-ids.org/2012/11/29/suricata-1-4rc1-available/">Suricata 1.4rc1</a> available with some pretty exciting features: unix socket mode and IP reputation.</p> <p><strong>Unix socket</strong></p> <p>First of all, <a href="https://home.regit.org/2012/09/a-new-unix-command-mode-in-suricata/">Eric Leblond&rsquo;s work</a> on the Unix socket was merged. The unix socket work consists of two parts. The unix socket protocol implementation and a new runmode.</p> <p>The protocol implementation is based on JSON messages over unix socket. Eric will be fully documenting it soon. Currently the commands are limited to shutting down and getting some basic stats. This part isn&rsquo;t very exciting yet, but the groundwork for many future extensions has been laid.</p> https://inliniac.net/blog/2012/11/21/ip-reputation-in-suricata/ Wed, 21 Nov 2012 19:22:01 +0000 https://inliniac.net/blog/2012/11/21/ip-reputation-in-suricata/ <p><em>Disclaimer: this work was sponsored by <a href="http://www.emergingthreatspro.com/">Emerging Threats Pro</a>.</em></p> <p>One thing we&rsquo;ve been talking about for many years at OISF is IP Reputation. The basic idea is that many organizations have information about specific IP-addresses. This information may be that a host is infected, acts as a spam relay or many other things. We&rsquo;ve always thought it might be useful to apply this info to the IDS directly.</p> <p>In the last weeks I&rsquo;ve developed code to load IP reputation information into Suricata. This code is now part of the Suricata git master, so it&rsquo;s available to all.</p> https://inliniac.net/blog/2012/07/09/suricata-http_user_agent-vs-http_header/ Mon, 09 Jul 2012 18:43:12 +0000 https://inliniac.net/blog/2012/07/09/suricata-http_user_agent-vs-http_header/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/ua-ws.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/ua-ws.png?w=300" alt=""></a> One of the new features in Suricata 1.3 is a new content modifier called <em>http_user_agent</em>. This allows rule writers to match on the User-Agent header in HTTP requests more efficiently. The new keyword is documented in the OISF <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords">wiki</a>. In this post, I&rsquo;ll show it&rsquo;s efficiency with two examples.</p> <p><strong>Example 1: rarely matching UA</strong></p> <p>Consider a signature where the match if on a part of the UA that is very rare, so not part of regular User Agents. In my example &ldquo;abc&rdquo;.</p> https://inliniac.net/blog/2012/07/06/suricata-1-3-released/ Fri, 06 Jul 2012 16:06:52 +0000 https://inliniac.net/blog/2012/07/06/suricata-1-3-released/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png" alt=""></a> Today, almost half a year after the last &ldquo;stable&rdquo; release, we released Suricata 1.3. I think this release is a big step forward with regard to maturity of Suricata. Performance and scalability have been much improved, just like accuracy and stability.</p> <p>The official announcement can be found on the <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/157-suricata-13-available">OISF site</a></p> <p>In the last 6 months a lot of code has been changed:</p> <blockquote> <p>384 files changed, 44332 insertions(+), 18478 deletions(-)</p> https://inliniac.net/blog/2010/12/21/suricata-1-1beta1-released/ Tue, 21 Dec 2010 17:56:32 +0000 https://inliniac.net/blog/2010/12/21/suricata-1-1beta1-released/ <p>Today we&rsquo;ve released Suricata 1.1 beta 1, the first beta of the upcoming Suricata 1.1 release. The official release announcement is <a href="http://openinfosecfoundation.org/index.php/component/content/article/1-latest-news/108-suricata-11-beta-1-released">here on the OISF website</a>.</p> <p>The main focus of the new release has been to improve performance and to add support to the features the new ET/ETpro ruleset needs. ET and ETpro have rulesets specially tuned and geared for Suricata. We&rsquo;re still missing some new rule keywords that are used by VRT, so in the 1.1 beta 2 release we&rsquo;ll address that.</p> https://inliniac.net/blog/2010/05/10/setting-up-suricata-0-9-0-for-initial-use-on-ubuntu-lucid-10-04/ Mon, 10 May 2010 14:27:25 +0000 https://inliniac.net/blog/2010/05/10/setting-up-suricata-0-9-0-for-initial-use-on-ubuntu-lucid-10-04/ <p>The last few days I blogged about compiling Suricata in <a href="http://www.inliniac.net/blog/2010/05/07/compiling-suricata-0-9-0-in-ubuntu-lucid-10-04-in-ids-mode.html">IDS</a> and <a href="http://www.inliniac.net/blog/2010/05/07/compiling-suricata-0-9-0-in-ubuntu-lucid-10-04-in-ips-inline-mode.html">IPS</a> mode. Today I&rsquo;ll write about how to set it up for first use.</p> <p>Starting with Suricata 0.9.0 the engine can run as an unprivileged user. For this create a new user called &ldquo;suricata&rdquo;.</p> <blockquote> <p>useradd &ndash;no-create-home &ndash;shell /bin/false &ndash;user-group &ndash;comment &ldquo;Suricata IDP account&rdquo; suricata</p></blockquote> <p>This command will create a user and group called &ldquo;suricata&rdquo;. It will be unable to login as the shell is set to /bin/false.</p> https://inliniac.net/blog/2008/08/21/sidreporter-beta2-released/ Thu, 21 Aug 2008 15:08:42 +0000 https://inliniac.net/blog/2008/08/21/sidreporter-beta2-released/ <p>A little over a week ago the second beta of the SidReporter from <a href="http://www.emergingthreats.net/">Emerging Threats</a> was released (see <a href="http://www.emergingthreats.net/content/view/95/1/">http://www.emergingthreats.net/content/view/95/1/</a>). I&rsquo;ve been working with Matt Jonkman to setup this new project at Emerging Threats, mostly in writing the reporter scripts. I think it&rsquo;s an exciting new project that could provide the community with great information. As Matt <a href="http://www.emergingthreats.net/content/view/93/1/">wrote</a> on the initial announcement:</p> <blockquote> <p>&ldquo;As mentioned a few weeks ago, we&rsquo;ve been working to bring out tool to anonymously report IDS/IPS hits. Similar to DShield&rsquo;s firewall log reporting, we believe we can make some incredible data inferences with this information, as well as help improve the quality of our signatures while giving us all feedback to tune our rulesets.</p> https://inliniac.net/blog/2008/01/08/new-snortsam-patch-for-snort-2801/ Tue, 08 Jan 2008 12:30:53 +0000 https://inliniac.net/blog/2008/01/08/new-snortsam-patch-for-snort-2801/ <p>Matt Jonkman of <a href="http://www.emergingthreats.net/">Emerging Threats</a> asked me to have a look at the existing Snortsam 2.8.0.1 patch as people were continuing to report problems with it. I updated it to compile without compiler warnings, build cleanly with debugging enabled, build cleanly with Snort&rsquo;s IPv6 support enabled and added a check so it won&rsquo;t act on alerts in IPv6 packets since the Snortsam framework does not support IPv6. Finally I removed the patch script so it&rsquo;s provided as a &rsquo;normal&rsquo; diff. Here is the patch: <a href="http://www.inliniac.net/files/snortsam-2.8.0.1.diff">http://www.inliniac.net/files/snortsam-2.8.0.1.diff</a></p>