Organization OISF (Open Information Security Foundation) release of network intrusion detection and prevention system , which provides a means of inspecting various types of traffic. In Suricata configurations, it is permissible to use , developed by the Snort project, as well as sets of rules ΠΈ . Project source code licensed under GPLv2.
Major changes:
- Introduced new parsing and logging modules for protocols
RDP, SNMP and SIP written in Rust. The ability to log via the EVE subsystem, which provides output of events in JSON format, has been added to the FTP parsing module; - In addition to the support for the JA3 TLS client authentication method introduced in the last release, support for the method , based on the specifics of connection negotiation and the specified parameters, determine which software is used to establish a connection (for example, it allows you to determine the use of Tor and other typical applications). JA3 makes it possible to define clients, and JA3S - servers. The results of the determination can be used in the rule setting language and in the logs;
- Added experimental ability to match with a sample of large datasets, implemented using new operations . For example, the feature is applicable to searching for masks in large blacklists with millions of entries;
- HTTP inspection mode provides full coverage of all situations described in the test suite (for example, covers techniques used to hide malicious activity in traffic);
- Rust module development tools have been moved from options to required standard features. In the future, it is planned to expand the use of Rust in the project's code base and gradually replace modules with analogues developed in Rust;
- The protocol detection engine has been improved in terms of accuracy and handling of asynchronous traffic flows;
- Support has been added to the EVE log for a new record type, "anomaly", which stores atypical events that are detected when packets are decoded. EVE also expanded the display of information about VLANs and traffic capture interfaces. Added option to save all HTTP headers in EVE log http entries;
- eBPF-based handlers provide support for hardware mechanisms for accelerating packet capture. Hardware acceleration is currently limited to Netronome network adapters, but will soon appear for other equipment;
- Rewritten code for capturing traffic using the Netmap framework. Added the ability to use advanced Netmap features such as a virtual switch ;
- support for a new keyword definition scheme for Sticky Buffers. The new scheme is defined in protocol.buffer format, for example, to introspect a URI, the keyword would be "http.uri" instead of "http_uri";
- All Python code used is tested for compatibility with
Python3; - Support for the Tilera architecture, the dns.log text log, and the old files-json.log log has been discontinued.
Features of Suricata:
- Using a Unified Format to Display Validation Results , also used by the Snort project, allowing the use of standard analysis tools such as . Ability to integrate with BASE, Snorby, Sguil and SQueRT products. Support for output in PCAP format;
- Support for automatic detection of protocols (IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, etc.), which allows you to operate in the rules only by the protocol type, without reference to the port number (for example, to block HTTP traffic on a non-standard port) . Decoders for HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP and SSH protocols;
- A powerful HTTP traffic analysis system that uses a special HTP library created by the author of the Mod_Security project to parse and normalize HTTP traffic. A module is available for maintaining a detailed log of transit HTTP transfers, the log is saved in a standard format
Apache. Extraction and verification of files transferred via HTTP protocol is supported. Support for parsing compressed content. Ability to identify by URI, Cookie, headers, user-agent, request/response body; - Support for various interfaces for intercepting traffic, including NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING. It is possible to analyze already saved files in PCAP format;
- High performance, the ability to process streams up to 10 gigabits / sec on conventional equipment.
- High performance mask matching engine with large sets of IP addresses. Support for content selection by mask and regular expressions. Separation of files from traffic, including their identification by name, type or MD5 checksum.
- Ability to use variables in rules: you can save information from the stream and later use it in other rules;
- Using the YAML format in configuration files, which allows you to maintain visibility with ease of machine processing;
- Full IPv6 support;
- Built-in engine for automatic defragmentation and reassembly of packets, which allows to ensure correct processing of streams, regardless of the order in which packets arrive;
- Support for tunneling protocols: Teredo, IP-IP, IP6-IP4, IP4-IP6, GRE;
- Packet decoding support: IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Ethernet, PPP, PPPoE, Raw, SLL, VLAN;
- Logging mode for keys and certificates that appear within TLS/SSL connections;
- The ability to write Lua scripts to provide advanced analysis and implement additional features needed to identify traffic types for which standard rules are not enough.
Source: opennet.ru