Everything inline.
Get paid to work on Suricata?
If you like fiddling with Suricata development, maybe you can get paid to do it.
Companies ask me regularly if I can recommend Suricata developers. I’m going to assemble a list of people who are interested in such work. If you like me to consider you in such cases, drop me an email.
If you really want me to *recommend* you, it’s important that I actually know you somewhat. So becoming a (volunteer) contributor will help a lot.
…Domain back up
Due to a ‘administrative problem’ between my registrar Xs4all and their US-partner Network Solutions, my domain has been offline since Sunday. Resolving the issue took them some time, and there was a technical issue after the administrative one was resolved. Add long DNS TTL values into the mix, and the disruption was quite lengthy. The domain is back up, although it may still take some hours for everyone to see it due to DNS caching.
…Suricata has been added to Debian Backports
Thanks to the hard work of Arturo Borrero Gonzalez, Suricata has just been added to the Debian ‘backports’ repository. This allows users of Debian stable to run up to date versions of Suricata.
The ‘Backports’ repository makes the Suricata and libhtp packages from Debian Testing available to ‘stable’ users. As ’testing’ is currently in a freeze, it may take a bit of time before 2.0.5 and libhtp 0.5.16 appear.
Anyway, here is how to use it.
…Profiling Suricata with JEMALLOC
JEMALLOC is a memory allocation library: http://www.canonware.com/jemalloc/
It offers many interesting things for a tool like Suricata. Ken Steele of EZchip (formerly Tilera) made me aware of it. In Ken’s testing it helps performance.
Install
wget http://www.canonware.com/download/jemalloc/jemalloc-3.6.0.tar.bz2
tar xvfj jemalloc-3.6.0.tar.bz2
cd jemalloc-3.6.0
./configure --prefix=/opt/jemalloc/
make
sudo make install
Then use it by preloading it:
LD_PRELOAD=/opt/jemalloc/lib/libjemalloc.so ./src/suricata -c suricata.yaml -l tmp/ -r ~/sync/pcap/sandnet.pcap -S emerging-all.rules -v
I haven’t benchmarked this, but if you’re running a high performance setup it may certainly be worth a shot.
…Crossing the Streams in Suricata
At it’s core, Suricata is a packet processor. It reads packets and pushes them through a configurable pipeline. The 2nd most important processing unit in Suricata is the flow. In Suricata we use the term flow for the bidirectional flows of packets with the same 5 tuple (proto, src ip, dst ip, sp, dp. Vlans can be added as well). In fact, much of Suricata’s threading effort revolves around the flow. In the 2 main runmodes, autofp and workers, flow based load balancing makes sure that a all packets of a single flow always go through the same threading pipeline. In workers this means one single thread, in autofp 2: the capture thread and a stream/detect/output thread.
…SMTP file extraction in Suricata
In 2.1beta2 the long awaited SMTP file extraction support for Suricata finally appeared. It has been a long development cycle. Originally started by BAE Systems, it was picked up by Tom Decanio of FireEye Forensics Group (formerly nPulse Technologies) followed by a last round of changes from my side. But it’s here now.
It contains:
- a MIME decoder
- updates to the SMTP parser to use the MIME decoder for extracting files
- SMTP JSON log, integrated with EVE
- SMTP message URL extraction and logging
As it uses the Suricata file handling API, it shares almost everything with the existing file handling for HTTP. The rule keyword work and the various logs work automatically with SMTP as well.
…Suricata Training Tour
After a lot of preparations, it’s finally going to happen: official Suricata trainings!
In the next couple of months I’ll be doing at least 3 sessions: a home match (Amsterdam), a workshop in Luxembourg and a session at DeepSec. Next to this, we’re planning various US based sessions on the East coast and West coast.
I’m really looking forward to doing these sessions. Other than the official content, there will be plenty of room for questions and discussions.
…detecting: malloc(-1) or malloc(0xffffffff)
In Suricata we’re often not printing malloc errors. The reason is that we’re not willing to print such errors based on (attacker controlled) traffic. So often such cases are silently handled.
We came across a bug though, where a integer underflow led to -1/0xffffffff being passed to malloc. Luckily, malloc just failed by returning NULL, and this return was properly handled. Still, passing such a large value to malloc is a bug, so I would like to catch it.
…Suricata Flow Logging
Pretty much from the start of the project, Suricata has been able to track flows. In Suricata the term ‘flow’ means the bidirectional flow of packets with the same 5 tuple. Or 7 tuple when vlan tags are counted as well.
Such a flow is created when the first packet comes in and is stored in the flow hash. Each new packet does a hash look-up and attaches the flow to the packet. Through the packet’s flow reference we can access all that is stored in the flow: TCP session, flowbits, app layer state data, protocol info, etc.
…Detecting OpenSSL Heartbleed with Suricata
The OpenSSL heartbleed vulnerability is a pretty serious weakness in OpenSSL that can lead to information disclosure, in some cases even to to private key leaking. Please see this post here http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html for more info.
This is a case where an IDS is able to detect the vuln, even though we’re talking about TLS.
LUA
I’ve written a quick and dirty LUA script to detect it:
alert tls any any -> any any ( \
msg:"TLS HEARTBLEED malformed heartbeat record"; \
flow:established,to_server; dsize:>7; \
content:"|18 03|"; depth:2; lua:tls-heartbleed.lua; \
classtype:misc-attack; sid:3000001; rev:1;)
The script:
…