[Emerging-Sigs] Suricata 1.4rc1 Available!

Matt Jonkman jonkman at emergingthreats.net
Thu Nov 29 05:05:30 HAST 2012


Great work Victor and team! Unbelievable pace of new feature development
you all sustain!

The IP Reputation I think will be of great interest especially. We're
digging in to test that. I wanted to point out the method for reputation
here:

There's a new keyword you can use with reputation.

iprep:<side to check>,<cat>,<operator>,<value>

Very cool possibilities here. You can not only block based on a category
listing that's over a certain score. Like so:

alert ip $HOME_NET any -> any any (msg:"IPREP internal host talking to CnC
server"; flow:to_server; iprep:dst,CnC,>,30; sid:1; rev:1;)


But you can also use reputation to eliminate false positives in the case of
having a very shaky matching criteria, like so:

alert ip $HOME_NET any -> any any (msg:"IPREP Bad Content Match and bad
rep"; flow:to_server; content:"/index,html"; http_uri; iprep:dst,CnC,>,30;
sid:1; rev:1;)

So here we'd have to have a match on index.html, which is a bad thing to
match on, but also have to have the dst IP be listed over 30 points (on a
0-127 scale) as a cnc. Odd example, but I hope you get the point.


A dns module that'll track the domain names looked up that resulted in the
IP being communicated with is next, to allow the same lookups as with an
IP.

Please test and let us know how this goes, and thanks for the great work on
this Victor!


Matt



https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationRules
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationConfig



On Thu, Nov 29, 2012 at 6:05 AM, Victor Julien <victor at inliniac.net> wrote:

> The OISF development team is proud to announce Suricata 1.4rc1, the
> first (and hopefully only) release candidate for Suricata 1.4. This
> release improves stability and accuracy, in addition to adding a few new
> exciting features.
>
> This release adds two major new features: a unix socket command mode,
> allowing for easy processing of large numbers of pcap files, and IP
> reputation. Both features are considered experimental.
>
> Get the new release here:
> http://www.openinfosecfoundation.org/download/suricata-1.4rc1.tar.gz
>
> New features
>
> - Interactive unix socket mode (#571, #552)
> - IP Reputation: loading and matching (#647)
> - Improved --list-keywords commandline option gives detailed info for
> supported keyword, including doc link (#435)
>
> Improvements
>
> - Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494)
> - User-Agent added to file log and filestore meta files (#629)
> - Endace DAG supports live stats and at exit drop stats (#638)
> - Add support for libhtp event "request port doesn't match tcp port" (#650)
>
> Fixes
>
> - Rules with negated addresses will not be considered IP-only (#599)
> - Rule reloads complete much faster in low traffic conditions (#526)
> - Suricata -h now displays all available options (#419)
> - Luajit configure time detection was improved (#636)
> - Flow manager mutex used w/o initialization (#628)
> - Cygwin work around for windows shell mangling interface string (#372)
> - Fix a Prelude output crash with alerts generated by rules w/o
> classtype or msg (#648)
> - CLANG compiler build fixes (#649)
> - Several fixes found by code analyzers
>
> Credits
>
> - Jason Ish -- Endace
> - Ludovico Cavedon -- Lastline
> - Last G
>
> Known issues & missing features
>
> This is a "release candidate"-quality release so the stability should be
> good although unexpected corner cases might happen. If you encounter
> one, please let us know!
>
> As always, we are doing our best to make you aware of continuing
> development and items within the engine that are not yet complete or
> optimal.  With this in mind, please notice the list we have included of
> known items we are working on.
>
> See http://redmine.openinfosecfoundation.org/projects/suricata/issues
> for an up to date list and to report new issues. See
>
> http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues
> for a discussion and time line for the major issues.
>
> About Suricata
>
> Suricata is a high performance Network IDS, IPS and Network Security
> Monitoring engine. Open Source and owned by a community run non-profit
> foundation, the Open Information Security Foundation (OISF). Suricata is
> developed by the OISF, its supporting vendors and the community.
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>



-- 

----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121129/3cd23e74/attachment.html>


More information about the Emerging-sigs mailing list