Software-update: Suricata 4.1

Versie 4.1 van Suricata is uitgekomen. Suricata is een opensource-network intrusion detection system (IDS), intrusion prevention system (IPS) en network security monitoring engine. Het kan worden gebruikt om netwerkverkeer te monitoren en een systeembeheerder een waarschuwing te geven als er iets verdachts wordt gesignaleerd. De Open Information Security Foundation coördineert de ontwikkeling, met hulp van de community en diverse fabrikanten. De met het op json gebaseerd logsysteem Eve verzamelde data kan onder meer met Logstash worden gebruikt om zo informatie grafisch weer te geven. In versie 4.1 treffen we diverse in Rust ontwikkelde protocollen aan, zijn er prestatieverbeteringen waar te nemen en is dit de eerste versie waar Suricata-Update 1.0 meegeleverd wordt.

Suricata 4.1 released!
After a longer than intended release development cycle, the OISF development team is proud to present Suricata 4.1.

Main new features are inclusion of the protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2. All of them have been implemented in Rust to ensure their introduction will not be compromising to the security and the stability of the complete system.

Support for tracking and logging TLS 1.3 has been added, including JA3 support.

On performance side, one of the main improvements is the availability of capture bypass for AF_PACKET implemented on top of the new eXpress Data Path (XDP) capability of Linux kernel. Windows users will benefit from the 4.1 release with a new IPS mode based on WinDivert.

All new protocols require Rust so Suricata 4.1 is not really 4.1 if you don’t have Rust. This is why the build system is now enabling Rust by default if it is available on the build machine.

This is the first release where Suricata-Update 1.0, the new Suricata rule updater, is bundled.

Protocol updates

• SMBv1/2/3 parsing, logging, file extraction
• TLS 1.3 parsing and logging (Mats Klepsland)
• JA3 TLS client fingerprinting (Mats Klepsland)
• TFTP: basic logging (Pascal Delalande and Clément Galland)
• FTP: file extraction
• Kerberos parser and logger (Pierre Chifflier)
• IKEv2 parser and logger (Pierre Chifflier)
• DHCP parser and logger
• Flow tracking for ICMPv4
• Initial NFS4 support
• HTTP: handle sessions that only have a response, or start with a response
• HTTP Flash file decompression support (Giuseppe Longo)

Output and logging

• File extraction v2: deduplication; hash-based naming; json metadata and cleanup tooling
• Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
• Eve: new more compact DNS record format (Giuseppe Longo)
• Pcap directory mode: process all pcaps in a directory (Danny Browning)
• Compressed PCAP logging (Max Fillinger)
• Expanded XFF support (Maurizio Abba)
• Community Flow Id support (common ID between Suricata and Bro/Zeek)

Packet Capture

• AF_PACKET XDP and eBPF support for high speed packet capture
• Windows IPS: WinDivert support (Jacob Masen-Smith)
• PF_RING: usability improvements

Misc

• Windows: MinGW is now supported
• Detect: transformation keyword support
• Bundled Suricata-Update
• Per device multi-tenancy

Minor Changes since 4.1rc2

• Coverity fixes and annotations
• Update Suricata-Update to 1.0.0

Security

• SMTP crash issue was fixed: CVE-2018-18956
• Robustness of defrag against FragmentSmack was improved
• Robustness of TCP reassembly against SegmentSmack was improved

Logstash Kibana gevoed met informatie van Suricata met json-output.