ProHoster > Blog > internet news > Suricata 6.0 Intrusion Detection System Released

Suricata 6.0 Intrusion Detection System Released

After a year of development, the OISF (Open Information Security Foundation) ΠΎΠΏΡƒΠ±Π»ΠΈΠΊΠΎΠ²Π°Π»Π° release of network intrusion detection and prevention system Meerkat 6.0, which provides a means of inspecting various types of traffic. In Suricata configurations, it is permissible to use signature bases, developed by the Snort project, as well as sets of rules Emerging Threats ΠΈ Emerging Threats Pro. Project source code extend licensed under GPLv2.

Major changes:

  • Initial support for HTTP/2.
  • Support for RFB and MQTT protocols, including the ability to define the protocol and logging.
  • Possibility of logging for the DCERPC protocol.
  • Significantly improved logging performance through the EVE subsystem, which provides output of events in JSON format. The speedup is achieved by using a new JSON stack builder written in Rust.
  • The scalability of the EVE logging system has been improved and the ability to maintain a separate log file for each thread has been implemented.
  • Ability to define conditions for resetting information to the log.
  • Ability to reflect MAC addresses in the EVE log and increase the detail of the DNS log.
  • Improving the performance of the flow engine.
  • Support for identifying SSH implementations (HASSH).
  • Implementation of the GENEVE tunnel decoder.
  • Processing code rewritten in Rust ASN.1, DCERPC and SSH. Rust also has support for new protocols.
  • In the rule definition language, support for the from_end parameter has been added to the byte_jump keyword, and support for the bitmask parameter has been added to byte_test. The pcrexform keyword has been implemented to allow the use of regular expressions (pcre) to capture a substring. Added urldecode transformation. Added byte_math keyword.
  • Providing the ability to use cbindgen to generate bindings in Rust and C.
  • Added initial plugin support.

Features of Suricata:

  • Using a Unified Format to Display Validation Results unified2, also used by the Snort project, allowing the use of standard analysis tools such as barnyard2. Ability to integrate with BASE, Snorby, Sguil and SQueRT products. Support for output in PCAP format;
  • Support for automatic detection of protocols (IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, etc.), which allows you to operate in the rules only by the protocol type, without reference to the port number (for example, to block HTTP traffic on a non-standard port) . Decoders for HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP and SSH protocols;
  • A powerful HTTP traffic analysis system that uses a special HTP library created by the author of the Mod_Security project to parse and normalize HTTP traffic. A module is available for maintaining a detailed log of transit HTTP transfers, the log is saved in a standard format
    Apache. Extraction and verification of files transferred via HTTP protocol is supported. Support for parsing compressed content. Ability to identify by URI, Cookie, headers, user-agent, request/response body;

  • Support for various interfaces for intercepting traffic, including NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING. It is possible to analyze already saved files in PCAP format;
  • High performance, the ability to process streams up to 10 gigabits / sec on conventional equipment.
  • High performance mask matching engine with large sets of IP addresses. Support for content selection by mask and regular expressions. Separation of files from traffic, including their identification by name, type or MD5 checksum.
  • Ability to use variables in rules: you can save information from the stream and later use it in other rules;
  • Using the YAML format in configuration files, which allows you to maintain visibility with ease of machine processing;
  • Full IPv6 support;
  • Built-in engine for automatic defragmentation and reassembly of packets, which allows to ensure correct processing of streams, regardless of the order in which packets arrive;
  • Support for tunneling protocols: Teredo, IP-IP, IP6-IP4, IP4-IP6, GRE;
  • Packet decoding support: IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Ethernet, PPP, PPPoE, Raw, SLL, VLAN;
  • Logging mode for keys and certificates that appear within TLS/SSL connections;
  • The ability to write Lua scripts to provide advanced analysis and implement additional features needed to identify traffic types for which standard rules are not enough.

Source: opennet.ru

Add a comment