Versie4.0 van Suricata is uitgekomen. Suricata is een opensource-network intrusion detection system (IDS), intrusion prevention system (IPS) en network security monitoring engine. Het kan worden gebruikt om netwerkverkeer te monitoren en een systeembeheerder een waarschuwing te geven als er iets verdachts wordt gesignaleerd. De Open Information Security Foundation coördineert de ontwikkeling, met hulp van de community en diverse fabrikanten. De met het op json gebaseerd logsysteem Eve verzamelde data kan onder meer met Logstash worden gebruikt om zo informatie grafisch weer te geven. In versie 4.0 zijn onder meer de detectiemogelijkheden verbeterd, zijn er extra opties voor het weergeven van de data en worden er meer protocollen ondersteund.
Based on valuable feedback from the rule writing teams at Emerging Threats and Positive Technologies we’ve added and improved many rule keywords for inspecting HTTP, SSH and other protocols. TLS additions were contributed by Mats Klepsland at NorCERT, including decoding, logging and matching on TLS serial numbers. Additionally, Suricata now allows rule writers to specify who’s the target in a signature. This information is used in EVE JSON logging to give more context with alerts.TLS improved, NFS added
More on the TLS side: A major new feature is support for STARTTLS in SMTP and FTP. TLS sessions will now be logged in these cases. More goodness from Mats Klepsland. Also, TLS session resumption logging is now supported thanks to the work of Ray Ruvinskiy. Additional TLS logging improvements were done by Paulo Pacheco.
NFS decoding, logging and file extraction was added as part of the experimental Rust support. Read on for more information about Rust.More EVE JSON
EVE is extended in several ways:
- in the case of encapsulated traffic both the inner and outer ip addresses and ports are logged
- the ‘vars’ facility logs flowbits and other vars. This can also be used to log data extracted from traffic using a PCRE statement in rules
- EVE can now be rotated based on time
- EVE was extended to optionally log the HTTP request and/or response bodies
- the (partial) flow record is added to alert records.
The ‘vars’ facility is one of the main improvements here, as it is now possible for a signature to accurately extract information for logging. For instance, a signature can extract an advertised software version or other information such as the recipient of an email. [https://blog.inliniac.net/2016/12/20/suricata-bits-ints-and-vars/]First Step into a Safer Future
This is the first release in which we’ve implemented parts in the Rust language using the Nom parser framework. This work is inspired by Pierre Chiffliers’ (ANSSI), talk at SuriCon 2016 (pdf). By compiling with –enable-rust you’ll get a basic NFS parser and a re-implementation of the DNS parser. Feedback on this is highly appreciated.
The Rust support is still experimental, as we are continuing to explore how it functions, performs and what it will take to support it in the community. Additionally we included Pierre Chiffliers Rust parsers work. This uses external Rust parser ‘crates’ and is enabled by using –enable-rust-experimental. Initially this adds a NTP parser.Under the Hood
A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode. First steps in TCP GAP recovery were taken, with implementations for DNS and NFS.
For developers, this release makes extending the detection engine with high performance keywords a lot easier. Adding a new high performance keyword using multi pattern matching does now requires only a few lines of code.Documentation
David Wharton at SecureWorks has created a section in the documentation for rule writers who have a background in Snort. It documents changes that are relevant for writing rules.Next steps
Based on the feedback we’ll get we’re expecting to do a 4.0.1 release in a month or so. Then we’ll start work on the next major release, which is 4.1. This is planned for late fall, ETA before SuriCon in Prague.
Logstash Kibana gevoed met informatie van Suricata met json-output.