I’ve just pushed out a minor update to Vuurmuur. Basically a single important bug fix, and lots of minor cleanups.

Both in Github Actions and my local CI I’ve updated the build tests and the scanners like cppcheck.

There are quite a few debs for Ubuntu and Debian. On the rpm side, just Fedora. Since libnetfilter_log is still missing from EPEL, creating CentOS rpms isn’t feasible right now.

For the release, see: https://vuurmuur.org/posts/release-082/

After many years of hosting this blog at Wordpress, I’ve decided to convert it to a static hugo site. I like that I can just write a simple markdown file and publish it.

I’ve done the conversion using https://github.com/ashishb/wp2hugo, which was very easy.

There is no option to comment anymore. This feature wasn’t used much anyway, but if you have feedback please see contact.

My plan is to post more regularly again.

I’ve just pushed the 0.8 release. See my announcement here. Get it from github or the ftp server.

Largest changes:

• ipv6 support using ip6tables
• logging uses nflog - initial work by Fred Leeflang
• connection logging and viewer
• add rpfilter and improved helper support
• a ‘dialog’ based setup wizard
• single code base / package
• massive code cleanup

I plan to continue to work on Vuurmuur, but it will likely remain at a low pace. Suricata development is simply taking too much of my time.

In Suricata we’re experimenting with implementing app-layer parser in Rust. See Pierre Chifflier’s presentation at the last SuriCon: [ pdf].

The first experimental parsers will soon land in master.

So coming from a C world I often use a pattern like:

value = hash_lookup(hashtable, key)
if (!value) {
    hash_insert(hashtable, key, somevalue);
}

Playing with Rust and it’s HashMap implementation I wanted to do something very similar. Look up a vector and update it with the new data if it exists, or create a new vector if not:

Over the holidays I’ve spent some time refreshing the Vuurmuur code. One major thing that is now done is that the 3 different ‘projects’ (libvuurmuur, vuurmuur and vuurmuur-conf) are now merged into a single ‘project’. This means that a single ‘./configure && make && make install’ now installs everything.

When I originally started Vuurmuur I had much bigger dreams for it than eventually materialized. Also, I didn’t understand autotools very well, so it was easier to keep the project split up. At some point there were even 5 projects!

Since the beginning of the project we’ve spoken about variables on multiple levels. Of course flowbits defined by the Snort language came first, but other flow based variables quickly followed: flowints for basic counting, and vars for extracting data using pcre expressions.

I’ve always thought of the pcre data extraction using substring capture as a potentially powerful feature. However the implementation was lacking. The extracted data couldn’t really be used for much.

Yesterday I wrote about fuzzing Suricata with AFL. Today I’m going to show another way. Since early in the project, we’ve shipped a perl based fuzzer called ‘wirefuzz’. The tool is very simple. It takes a list of pcaps, changes random bits in them using Wiresharks editcap and runs them through Suricata. Early in the project Will Metcalf, who wrote the tool, found a lot of issues with it.

Since it’s random based fuzzing, the fuzzing is quite shallow. It is still a great way of stressing the decoder layers of Suricata though, as we need to be able to process all junk input correctly.

AFL is a very powerful fuzzer, that tries to be smarter than random input generating fuzzers. It’s cool, but needs a bit more baby sitting. I’ve added some support to Suricata to assist AFL.

Here’s how to get started on fuzzing pcaps.

mkdir ~/tmp/fuzz
git clone https://github.com/inliniac/suricata -b dev-afl-v5
cd suricata
git clone https://github.com/OISF/libhtp -b 0.5.x
bash autogen.sh
export CFLAGS="-fsanitize=address"
export AFLDIR=/opt/afl-1.96b/bin/
export CC="${AFLDIR}/afl-gcc"
export CXX="${AFLDIR}/afl-g++"
./configure --disable-shared --sysconfdir=/etc --enable-afl

The configure output should show: Compiler: /opt/afl-1.96b/bin//afl-gcc (exec name) / gcc (real)

Today, almost 2 years after the release of Suricata 2.0, we released 3.0! This new version of Suricata improves performance, scalability, accuracy and general robustness. Next to this, it brings a lot of new features.

New features are too numerous to mention here, but I’d like to highlight a few:

• netmap support: finally a high speed capture method for our FreeBSD friends, IDS and IPS
• multi-tenancy: single instance, multiple detection configs
• JSON stats: making it much easier to graph the stats in ELK, etc
• Much improved Lua support: many more fields/protocols available, output scripts

Check the full list here in the announcement: http://suricata-ids.org/2016/01/27/suricata-3-0-available/

As the team is back from a very successful week in Barcelona, I’d like to take a moment on what we discussed and decided on with regards to development.

One thing no one was happy with is how the release schedules are working. Releases were meant to reasonably frequent, but the time between major releases was growing longer and longer. The 2.0 branch for example, is closing in on 2 years as the stable branch. The result is that many people are missing out on many of the improvements we’ve been doing. Currently many people using Suricata actually use a beta version, of even our git master, in production!