Cookies op Tweakers

Tweakers maakt gebruik van cookies, onder andere om de website te analyseren, het gebruiksgemak te vergroten en advertenties te tonen. Door gebruik te maken van deze website, of door op 'Ga verder' te klikken, geef je toestemming voor het gebruik van cookies. Wil je meer informatie over cookies en hoe ze worden gebruikt, bekijk dan ons cookiebeleid.

Meer informatie

Software-update: Suricata 4.0.0

Door , 0 reacties, submitter: Victor78, bron: Suricata

Suricata logo (75 pix) Versie4.0 van Suricata is uitgekomen. Suricata is een opensource-network intrusion detection system (IDS), intrusion prevention system (IPS) en network security monitoring engine. Het kan worden gebruikt om netwerkverkeer te monitoren en een systeembeheerder een waarschuwing te geven als er iets verdachts wordt gesignaleerd. De Open Information Security Foundation coördineert de ontwikkeling, met hulp van de community en diverse fabrikanten. De met het op json gebaseerd logsysteem Eve verzamelde data kan onder meer met Logstash worden gebruikt om zo informatie grafisch weer te geven. In versie 4.0 zijn onder meer de detectiemogelijkheden verbeterd, zijn er extra opties voor het weergeven van de data en worden er meer protocollen ondersteund.

Improved Detection

Based on valuable feedback from the rule writing teams at Emerging Threats and Positive Technologies we’ve added and improved many rule keywords for inspecting HTTP, SSH and other protocols. TLS additions were contributed by Mats Klepsland at NorCERT, including decoding, logging and matching on TLS serial numbers. Additionally, Suricata now allows rule writers to specify who’s the target in a signature. This information is used in EVE JSON logging to give more context with alerts.

TLS improved, NFS added

More on the TLS side: A major new feature is support for STARTTLS in SMTP and FTP. TLS sessions will now be logged in these cases. More goodness from Mats Klepsland. Also, TLS session resumption logging is now supported thanks to the work of Ray Ruvinskiy. Additional TLS logging improvements were done by Paulo Pacheco.

NFS decoding, logging and file extraction was added as part of the experimental Rust support. Read on for more information about Rust.

More EVE JSON

EVE is extended in several ways:

  • in the case of encapsulated traffic both the inner and outer ip addresses and ports are logged
  • the ‘vars’ facility logs flowbits and other vars. This can also be used to log data extracted from traffic using a PCRE statement in rules
  • EVE can now be rotated based on time
  • EVE was extended to optionally log the HTTP request and/or response bodies
  • the (partial) flow record is added to alert records.

The ‘vars’ facility is one of the main improvements here, as it is now possible for a signature to accurately extract information for logging. For instance, a signature can extract an advertised software version or other information such as the recipient of an email. [https://blog.inliniac.net/2016/12/20/suricata-bits-ints-and-vars/]

First Step into a Safer Future

This is the first release in which we’ve implemented parts in the Rust language using the Nom parser framework. This work is inspired by Pierre Chiffliers’ (ANSSI), talk at SuriCon 2016 (pdf). By compiling with –enable-rust you’ll get a basic NFS parser and a re-implementation of the DNS parser. Feedback on this is highly appreciated.

The Rust support is still experimental, as we are continuing to explore how it functions, performs and what it will take to support it in the community. Additionally we included Pierre Chiffliers Rust parsers work. This uses external Rust parser ‘crates’ and is enabled by using –enable-rust-experimental. Initially this adds a NTP parser.

Under the Hood

A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode. First steps in TCP GAP recovery were taken, with implementations for DNS and NFS.

For developers, this release makes extending the detection engine with high performance keywords a lot easier. Adding a new high performance keyword using multi pattern matching does now requires only a few lines of code.

Documentation

David Wharton at SecureWorks has created a section in the documentation for rule writers who have a background in Snort. It documents changes that are relevant for writing rules.

Next steps

Based on the feedback we’ll get we’re expecting to do a 4.0.1 release in a month or so. Then we’ll start work on the next major release, which is 4.1. This is planned for late fall, ETA before SuriCon in Prague.

Logstash Kibana gevoed met informatie van Suricata met json-output.

Versienummer 4.0.0
Releasestatus Final
Besturingssystemen Linux
Website Suricata
Download https://suricata-ids.org/download/
Licentietype Voorwaarden (GNU/BSD/etc.)

Reacties


Er zijn nog geen reacties geplaatst


Om te kunnen reageren moet je ingelogd zijn


Nintendo Switch Google Pixel XL 2 LG W7 Samsung Galaxy S8 Google Pixel 2 Sony Bravia A1 OLED Microsoft Xbox One X Apple iPhone 8

© 1998 - 2017 de Persgroep Online Services B.V. Tweakers vormt samen met o.a. Autotrack en Hardware.Info de Persgroep Online Services B.V. Hosting door True

*