Suricata on Inliniac

Vuurmuur 0.8 has been released

Sun, 24 Feb 2019 19:22:51 +0000

I’ve just pushed the 0.8 release. See my announcement here. Get it from github or the ftp server.

Largest changes:

ipv6 support using ip6tables
logging uses nflog - initial work by Fred Leeflang
connection logging and viewer
add rpfilter and improved helper support
a ‘dialog’ based setup wizard
single code base / package
massive code cleanup

I plan to continue to work on Vuurmuur, but it will likely remain at a low pace. Suricata development is simply taking too much of my time.

SMTP file extraction in Suricata

Tue, 11 Nov 2014 10:47:42 +0000

In 2.1beta2 the long awaited SMTP file extraction support for Suricata finally appeared. It has been a long development cycle. Originally started by BAE Systems, it was picked up by Tom Decanio of FireEye Forensics Group (formerly nPulse Technologies) followed by a last round of changes from my side. But it’s here now.

It contains:

a MIME decoder
updates to the SMTP parser to use the MIME decoder for extracting files
SMTP JSON log, integrated with EVE
SMTP message URL extraction and logging

As it uses the Suricata file handling API, it shares almost everything with the existing file handling for HTTP. The rule keyword work and the various logs work automatically with SMTP as well.

Suricata http_user_agent vs http_header

Mon, 09 Jul 2012 18:43:12 +0000

One of the new features in Suricata 1.3 is a new content modifier called http_user_agent. This allows rule writers to match on the User-Agent header in HTTP requests more efficiently. The new keyword is documented in the OISF wiki. In this post, I’ll show it’s efficiency with two examples.

Example 1: rarely matching UA

Consider a signature where the match if on a part of the UA that is very rare, so not part of regular User Agents. In my example “abc”.