From jonkman at jonkmans.com Wed Dec 16 09:10:54 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 16 Dec 2009 09:10:54 -0500 Subject: [Discussion] The OISF Welcomes the Mammoth Law Group as a Partner Message-ID: <4B28EA6E.4040804@jonkmans.com> For the past few months the Mammoth Law Group has been contributing legal services to the OISF pro-bono. We'd like to officially thank them for their untiring efforts and expertise. They've been invaluable to the Foundation. Please consider using their services if you're in the market and help us return the generous support they've shown the community! Very few firms have their understanding of the open source industry. http://www.mammothlawgroup.com ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Dec 17 08:52:14 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 17 Dec 2009 08:52:14 -0500 Subject: [Discussion] The OISF Welcomes Kerio as a new Consortium Member! Message-ID: <4B2A378E.1070605@jonkmans.com> The OISF is excited to welcome Kerio (http://www.kerio.com) as a member of the OISF Consortium. Kerio brings a great deal of security expertise, especially on Windows platforms. Kerio will be primarily contributing the expertise and effort to maintain a Windows binary distribution for the OISF Engine (Suricata). This will be a critical function to help Suricata best serve all parts of the IDS community. We're extremely grateful for their support. Help us welcome them to the Foundation! Matt -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Dec 18 09:14:36 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 18 Dec 2009 09:14:36 -0500 Subject: [Discussion] We have an Official Name and Mascot for the OISF Engine! Message-ID: <4B2B8E4C.6070300@jonkmans.com> A big step in the life of any open source project is the choice of a mascot and logo. It was a tough one, we had great suggestions from the community, and the one that rose to the top was a Meerkat. The Meerkat takes security and vigilance as a life or death responsibility. There is always at least one individual on guard, watching, ready to alert the entire organization. Very much like an IDS sensor. It is always watching, always ready to alert you to danger. Or something like that... The logo we've chosen for the OISF engine reflects that vigilance. The name Suricata comes from the Latin genus name for the meerkat. Watch for this logo to be on your next IDS appliance! -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: suricata.png Type: image/png Size: 11286 bytes Desc: not available Url : http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20091218/8eab20ae/suricata.png From jonkman at jonkmans.com Wed Dec 30 11:05:16 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 30 Dec 2009 11:05:16 -0500 Subject: [Discussion] First Release of Suricata Available Tomorrow! Message-ID: <4B3B7A3C.8060305@jonkmans.com> We're nearly ready for the first release of code from the Open Information Security Foundation! We've been hard at work for over six months now, with about twenty of the most talented and diverse group of programmers I've ever seen together. Six months is an incredibly short timeframe for developing an IDS engine, especially one that's not just the same old ideas but a major step forward. But they've done it, we're nearly there! I'm incredibly honored to be a part of this team. This is the first release. We haven't of course gotten every feature in there that we want, but what is there is stable and ready for testing. Stay tuned for more information today and tomorrow! ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Dec 31 09:16:10 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 31 Dec 2009 09:16:10 -0500 Subject: [Discussion] [Emerging-Sigs] First Release of Suricata Available Tomorrow! In-Reply-To: <4B3BCC79.4050003@redpill-linpro.com> References: <4B3B7A3C.8060305@jonkmans.com> <4B3BCC79.4050003@redpill-linpro.com> Message-ID: <4B3CB22A.2070005@jonkmans.com> We're very excited too! Thanks. Stay tuned, release coming soon! Matt On 12/30/09 4:56 PM, Edward Bjarte Fjellsk?l wrote: > Congrats to ya all! > > looking forward to this :) > Good stuff for the community! > > What a present for us all at the end of the year! > Thank you all for all your hard work :) > > E > > Matt Jonkman wrote: >> We're nearly ready for the first release of code from the Open >> Information Security Foundation! We've been hard at work for over six >> months now, with about twenty of the most talented and diverse group of >> programmers I've ever seen together. Six months is an incredibly short >> timeframe for developing an IDS engine, especially one that's not just >> the same old ideas but a major step forward. But they've done it, we're >> nearly there! I'm incredibly honored to be a part of this team. >> >> This is the first release. We haven't of course gotten every feature in >> there that we want, but what is there is stable and ready for testing. >> >> Stay tuned for more information today and tomorrow! > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Dec 31 15:11:21 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 31 Dec 2009 15:11:21 -0500 Subject: [Discussion] Suricata IDS Available for Download! Message-ID: <4B3D0569.4020907@jonkmans.com> Full Announcement here: http://www.openinfosecfoundation.org/ It's been about three years in the making, but the day has finally come! We have the first release of the Suricata Engine! The engine is an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field. The Suricata Engine and the HTP Library are available to use under the GPLv2. The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools. This is considered a Beta Release as we are seeking feedback from the community. This release has many of the major new features we wanted to add to the industry, but certainly not all. We intend to get this base engine out and stable, and then continue to add new features. We expect several new releases in the month of January culminating in a production quality release shortly thereafter. The engine and the HTP Library are available here: http://www.openinfosecfoundation.org/index.php/download-suricata Please join the oisf-users mailing list to discuss and share feedback. The developers will be there ready to help you test. http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users As this is a first release we don't really have a "what's New" section because everything is new. But we do have a number of new ideas and new concepts to Intrusion Detection to note. Some of those are listed below: Multi-Threading Amazing that multi-threading is new to IDS, but it is, and we've got it! Automatic Protocol Detection The engine not only has keywords for IP, TCP, UDP and ICMP, but also has HTTP, TLS, FTP and SMB! A user can now write a rule to detect a match within an HTTP stream for example regardless of the port the stream occurs on. This is going to revolutionize malware detection and control. Detections for more layer 7 protocols are on the way. Gzip Decompression The HTP Parser will decode Gzip compressed streams, allowing much more detailed matching within the engine. Independent HTP Library The HTP Parser will be of great use to many other applications such as proxies, filters, etc. The parser is available as a library also under GPLv2 for easy integration ito other tools. Standard Input Methods You can use NFQueue, IPFRing, and the standard LibPcap to capture traffic. IPFW support coming shortly. Unified2 Output You can use your standard output tools and methods with the new engine, 100% compatible! Flow Variables It's possible to capture information out of a stream and save that in a variable which can then be matched again later. Fast IP Matching The engine will automatically take rules that are IP matches only (such as the RBN and compromised IP lists at Emerging Threats) and put them into a special fast matching preprocessor. HTTP Log Module All HTTP requests can be automatically output into an apache-style log format file. Very useful for monitoring and logging activity completely independent of rulesets and matching. Should you need to do so you could use the engine only as an HTTP logging sniffer. Coming Very Soon: (Within a few weeks) Global Flow Variables The ability to store more information from a stream or match (actual data, not just setting a bit), and storing that information for a period of time. This will make comparing values across many streams and time possible. Graphics Card Acceleration Using CUDA and OpenCL we will be able to make use of the massive processing power of even old graphics cards to accelerate your IDS. Offloading the very computationally intensive functions of the sensor will greatly enhance performance. IP Reputation Hard to summarize in a sentence, but Reputation will allow sensors and organizations to share intelligence and eliminate many false positives. Windows Binaries As soon as we have a reasonably stable body of code. The list could go on and on. Please take a few minutes to download the engine and try it out and let us know what you think. We're not comfortable calling it production ready at the moment until we get your feedback, and we have a few features to complete. We really need your feedback and input. We intend to put out a series of small releases in the two to three weeks to come, and then a production ready major release shortly thereafter. Phase two of our development plan will then begin where we go after some major new features such as IP Reputation shortly. http://www.openinfosecfoundation.org ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Dec 31 15:44:35 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 31 Dec 2009 15:44:35 -0500 Subject: [Discussion] [Snort-users] Suricata IDS Available for Download! In-Reply-To: <77e259cc0912311242r28de2ab9vcd0bb8331458df09@mail.gmail.com> References: <4B3D0569.4020907@jonkmans.com> <77e259cc0912311242r28de2ab9vcd0bb8331458df09@mail.gmail.com> Message-ID: <4B3D0D33.7050707@jonkmans.com> Thanks Matt! That's great to hear from you! Look forward to your feedback. Matt On 12/31/09 3:42 PM, Matt Olney wrote: > Congrats to Matt Jonkman and the team at OISF. It's a big step, and I > look forward to seeing your work (after then new year :)) > > Matt > > On Thu, Dec 31, 2009 at 3:11 PM, Matt Jonkman > wrote: > > Full Announcement here: > http://www.openinfosecfoundation.org/ > > > It's been about three years in the making, but the day has finally come! > We have the first release of the Suricata Engine! The engine is an Open > Source Next Generation Intrusion Detection and Prevention Tool, not > intended to just replace or emulate the existing tools in the industry, > but to bring new ideas and technologies to the field. > > The Suricata Engine and the HTP Library are available to use under the > GPLv2. > > The HTP Library is an HTTP normalizer and parser written by Ivan Ristic > of Mod Security fame for the OISF. This integrates and provides very > advanced processing of HTTP streams for Suricata. The HTP library is > required by the engine, but may also be used independently in a range of > applications and tools. > > This is considered a Beta Release as we are seeking feedback from the > community. This release has many of the major new features we wanted to > add to the industry, but certainly not all. We intend to get this base > engine out and stable, and then continue to add new features. We expect > several new releases in the month of January culminating in a production > quality release shortly thereafter. > > The engine and the HTP Library are available here: > http://www.openinfosecfoundation.org/index.php/download-suricata > > Please join the oisf-users mailing list to discuss and share feedback. > The developers will be there ready to help you test. > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users > > > As this is a first release we don't really have a "what's New" section > because everything is new. But we do have a number of new ideas and new > concepts to Intrusion Detection to note. Some of those are listed below: > > > > Multi-Threading > Amazing that multi-threading is new to IDS, but it is, and we've got it! > > > Automatic Protocol Detection > The engine not only has keywords for IP, TCP, UDP and ICMP, but also has > HTTP, TLS, FTP and SMB! A user can now write a rule to detect a match > within an HTTP stream for example regardless of the port the stream > occurs on. This is going to revolutionize malware detection and control. > Detections for more layer 7 protocols are on the way. > > > Gzip Decompression > The HTP Parser will decode Gzip compressed streams, allowing much more > detailed matching within the engine. > > > Independent HTP Library > The HTP Parser will be of great use to many other applications such as > proxies, filters, etc. The parser is available as a library also under > GPLv2 for easy integration ito other tools. > > > Standard Input Methods > You can use NFQueue, IPFRing, and the standard LibPcap to capture > traffic. IPFW support coming shortly. > > > Unified2 Output > You can use your standard output tools and methods with the new engine, > 100% compatible! > > > Flow Variables > It's possible to capture information out of a stream and save that in a > variable which can then be matched again later. > > > Fast IP Matching > The engine will automatically take rules that are IP matches only (such > as the RBN and compromised IP lists at Emerging Threats) and put them > into a special fast matching preprocessor. > > > HTTP Log Module > All HTTP requests can be automatically output into an apache-style log > format file. Very useful for monitoring and logging activity completely > independent of rulesets and matching. Should you need to do so you could > use the engine only as an HTTP logging sniffer. > > > > Coming Very Soon: (Within a few weeks) > > Global Flow Variables > The ability to store more information from a stream or match (actual > data, not just setting a bit), and storing that information for a period > of time. This will make comparing values across many streams and time > possible. > > > Graphics Card Acceleration > Using CUDA and OpenCL we will be able to make use of the massive > processing power of even old graphics cards to accelerate your IDS. > Offloading the very computationally intensive functions of the sensor > will greatly enhance performance. > > > IP Reputation > Hard to summarize in a sentence, but Reputation will allow sensors and > organizations to share intelligence and eliminate many false positives. > > > Windows Binaries > As soon as we have a reasonably stable body of code. > > > > The list could go on and on. Please take a few minutes to download the > engine and try it out and let us know what you think. We're not > comfortable calling it production ready at the moment until we get your > feedback, and we have a few features to complete. We really need your > feedback and input. We intend to put out a series of small releases in > the two to three weeks to come, and then a production ready major > release shortly thereafter. Phase two of our development plan will then > begin where we go after some major new features such as IP Reputation > shortly. > > http://www.openinfosecfoundation.org > > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast > and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Snort-users mailing list > Snort-users at lists.sourceforge.net > > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users > Snort-users> list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From molney at sourcefire.com Thu Dec 31 15:42:04 2009 From: molney at sourcefire.com (Matt Olney) Date: Thu, 31 Dec 2009 15:42:04 -0500 Subject: [Discussion] [Snort-users] Suricata IDS Available for Download! In-Reply-To: <4B3D0569.4020907@jonkmans.com> References: <4B3D0569.4020907@jonkmans.com> Message-ID: <77e259cc0912311242r28de2ab9vcd0bb8331458df09@mail.gmail.com> Congrats to Matt Jonkman and the team at OISF. It's a big step, and I look forward to seeing your work (after then new year :)) Matt On Thu, Dec 31, 2009 at 3:11 PM, Matt Jonkman wrote: > Full Announcement here: > http://www.openinfosecfoundation.org/ > > > It's been about three years in the making, but the day has finally come! > We have the first release of the Suricata Engine! The engine is an Open > Source Next Generation Intrusion Detection and Prevention Tool, not > intended to just replace or emulate the existing tools in the industry, > but to bring new ideas and technologies to the field. > > The Suricata Engine and the HTP Library are available to use under the > GPLv2. > > The HTP Library is an HTTP normalizer and parser written by Ivan Ristic > of Mod Security fame for the OISF. This integrates and provides very > advanced processing of HTTP streams for Suricata. The HTP library is > required by the engine, but may also be used independently in a range of > applications and tools. > > This is considered a Beta Release as we are seeking feedback from the > community. This release has many of the major new features we wanted to > add to the industry, but certainly not all. We intend to get this base > engine out and stable, and then continue to add new features. We expect > several new releases in the month of January culminating in a production > quality release shortly thereafter. > > The engine and the HTP Library are available here: > http://www.openinfosecfoundation.org/index.php/download-suricata > > Please join the oisf-users mailing list to discuss and share feedback. > The developers will be there ready to help you test. > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users > > > As this is a first release we don't really have a "what's New" section > because everything is new. But we do have a number of new ideas and new > concepts to Intrusion Detection to note. Some of those are listed below: > > > > Multi-Threading > Amazing that multi-threading is new to IDS, but it is, and we've got it! > > > Automatic Protocol Detection > The engine not only has keywords for IP, TCP, UDP and ICMP, but also has > HTTP, TLS, FTP and SMB! A user can now write a rule to detect a match > within an HTTP stream for example regardless of the port the stream > occurs on. This is going to revolutionize malware detection and control. > Detections for more layer 7 protocols are on the way. > > > Gzip Decompression > The HTP Parser will decode Gzip compressed streams, allowing much more > detailed matching within the engine. > > > Independent HTP Library > The HTP Parser will be of great use to many other applications such as > proxies, filters, etc. The parser is available as a library also under > GPLv2 for easy integration ito other tools. > > > Standard Input Methods > You can use NFQueue, IPFRing, and the standard LibPcap to capture > traffic. IPFW support coming shortly. > > > Unified2 Output > You can use your standard output tools and methods with the new engine, > 100% compatible! > > > Flow Variables > It's possible to capture information out of a stream and save that in a > variable which can then be matched again later. > > > Fast IP Matching > The engine will automatically take rules that are IP matches only (such > as the RBN and compromised IP lists at Emerging Threats) and put them > into a special fast matching preprocessor. > > > HTTP Log Module > All HTTP requests can be automatically output into an apache-style log > format file. Very useful for monitoring and logging activity completely > independent of rulesets and matching. Should you need to do so you could > use the engine only as an HTTP logging sniffer. > > > > Coming Very Soon: (Within a few weeks) > > Global Flow Variables > The ability to store more information from a stream or match (actual > data, not just setting a bit), and storing that information for a period > of time. This will make comparing values across many streams and time > possible. > > > Graphics Card Acceleration > Using CUDA and OpenCL we will be able to make use of the massive > processing power of even old graphics cards to accelerate your IDS. > Offloading the very computationally intensive functions of the sensor > will greatly enhance performance. > > > IP Reputation > Hard to summarize in a sentence, but Reputation will allow sensors and > organizations to share intelligence and eliminate many false positives. > > > Windows Binaries > As soon as we have a reasonably stable body of code. > > > > The list could go on and on. Please take a few minutes to download the > engine and try it out and let us know what you think. We're not > comfortable calling it production ready at the moment until we get your > feedback, and we have a few features to complete. We really need your > feedback and input. We intend to put out a series of small releases in > the two to three weeks to come, and then a production ready major > release shortly thereafter. Phase two of our development plan will then > begin where we go after some major new features such as IP Reputation > shortly. > > http://www.openinfosecfoundation.org > > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and > easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Snort-users mailing list > Snort-users at lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20091231/80217041/attachment-0001.html From edward.fjellskal at redpill-linpro.com Wed Dec 30 16:56:09 2009 From: edward.fjellskal at redpill-linpro.com (=?ISO-8859-1?Q?Edward_Bjarte_Fjellsk=E5l?=) Date: Wed, 30 Dec 2009 22:56:09 +0100 Subject: [Discussion] [Emerging-Sigs] First Release of Suricata Available Tomorrow! In-Reply-To: <4B3B7A3C.8060305@jonkmans.com> References: <4B3B7A3C.8060305@jonkmans.com> Message-ID: <4B3BCC79.4050003@redpill-linpro.com> Congrats to ya all! looking forward to this :) Good stuff for the community! What a present for us all at the end of the year! Thank you all for all your hard work :) E Matt Jonkman wrote: > We're nearly ready for the first release of code from the Open > Information Security Foundation! We've been hard at work for over six > months now, with about twenty of the most talented and diverse group of > programmers I've ever seen together. Six months is an incredibly short > timeframe for developing an IDS engine, especially one that's not just > the same old ideas but a major step forward. But they've done it, we're > nearly there! I'm incredibly honored to be a part of this team. > > This is the first release. We haven't of course gotten every feature in > there that we want, but what is there is stable and ready for testing. > > Stay tuned for more information today and tomorrow!