We’re considering to offer a Suricata development training day around the next OISF brainstorm meeting. That would be in Amsterdam around the RAID conference, in early September. Topics we could cover: - code/development overview - create/extend detect module - create/extend output module - app layer module - proto detection - … The training would probably be free as it’s an excercise for us as well, so we’d just want honest feedback in return :) ...
Myricom and OISF just announced that Myricom joined to OISF consortium to support the development of Suricata. The good folks at Myricom already sent me one of their cards earlier. In this post I’ll describe how you can use these cards already, even though Suricata doesn’t have native Myricom support yet. So in this guide I’ll describe using the Myricom libpcap support. Getting started I’m going to assume you installed the card properly, installed the Sniffer driver and made sure that all works. Make sure that in your dmesg you see that the card is in sniffer mode: ...
One of the new features in Suricata 1.3 is a new content modifier called http_user_agent. This allows rule writers to match on the User-Agent header in HTTP requests more efficiently. The new keyword is documented in the OISF wiki. In this post, I’ll show it’s efficiency with two examples. Example 1: rarely matching UA Consider a signature where the match if on a part of the UA that is very rare, so not part of regular User Agents. In my example “abc”. ...
Today, almost half a year after the last “stable” release, we released Suricata 1.3. I think this release is a big step forward with regard to maturity of Suricata. Performance and scalability have been much improved, just like accuracy and stability. The official announcement can be found on the OISF site In the last 6 months a lot of code has been changed: 384 files changed, 44332 insertions(+), 18478 deletions(-) ...
For a few months Suricata has been able to calculate the MD5 checksum of files it sees in HTTP streams. Regardless of extraction to disk, the MD5 could be calculated and logged. Martin Holste created a set of very cool scripts to use the logged MD5 to look it up at VirusTotal and some other similar services. This is done outside of Suricata. One thing I have been wanting to try is matching against these MD5’s in Suricata itself. ...
For the Suricata 1.3beta1 release, one of our goals was to improve the scalability of the engine when running on many cores. As the graph below shows, we made a good deal of progress. The blue line is an older 1.1 version, the yellow line is 1.3dev. It clearly shows that 1.1 peaked at 4 cores, then started to get serious contention issues. 1.3dev scales nicely beyond that, up to 24 cores in this test (four 6core AMD cpu’s). Tilera recently demonstrated Suricata on their many core systems, running a single Suricata process per cpu. Their cpu’s have 36 real cores. ...
Yesterday I pushed a patch that changes the default runmode from “auto” to “autofp”. The autofp name stands for “auto flow pinning” and it automatically makes sure all packets belonging to a flow are processed by the same stream, detection and output thread. Until now, the assignment was done with a simple hash calculation. The problem with that is that it doesn’t take into account how busy a thread may be. ...
We recently set up a Planet for Suricata, see the official announcement here. All my posts tagged “suricata” will automatically appear on it. Excited about it! https://planet.suricata-ids.org/
My ISP recently started providing 3 F-Secure AV copies to each of their customers. I installed it but noticed that updates timed out. It turned out that Suricata, which runs in IPS mode, blocked the update. There were 3 Emerging Threats rules that alerted: [1:2003614:4] ET VIRUS WinUpack Modified PE Header Inbound [1:2009557:2] ET TROJAN Yoda’s Protector Packed Binary [1:2012086:2] ET SHELLCODE Possible Call with No Offset TCP Shellcode It seems that F-Secure uses some form of packed binaries for their updates that is often used by malware. ...
With the 1.2rc1 release you will notice no more HTTP errors on the screen. Or SMTP errors. This output has been disabled finally. This was a long time annoyance. As you may still be interested in the errors they are now available through the rule language. In rules/http-events.rules and rules/smtp-events.rules rules for all possible events/errors can be found. Example: app-layer-event:http.missing_host_header; This will match on HTTP/1.1 requests without a Host header. ...