Congrats to Matt Jonkman and the team at OISF. It's a big step, and I look forward to seeing your work (after then new year :))<div><br>Matt<br><br><div class="gmail_quote">On Thu, Dec 31, 2009 at 3:11 PM, Matt Jonkman <span dir="ltr"><<a href="mailto:jonkman@jonkmans.com">jonkman@jonkmans.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Full Announcement here:<br>
<a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
<br>
<br>
It's been about three years in the making, but the day has finally come!<br>
We have the first release of the Suricata Engine! The engine is an Open<br>
Source Next Generation Intrusion Detection and Prevention Tool, not<br>
intended to just replace or emulate the existing tools in the industry,<br>
but to bring new ideas and technologies to the field.<br>
<br>
The Suricata Engine and the HTP Library are available to use under the<br>
GPLv2.<br>
<br>
The HTP Library is an HTTP normalizer and parser written by Ivan Ristic<br>
of Mod Security fame for the OISF. This integrates and provides very<br>
advanced processing of HTTP streams for Suricata. The HTP library is<br>
required by the engine, but may also be used independently in a range of<br>
applications and tools.<br>
<br>
This is considered a Beta Release as we are seeking feedback from the<br>
community. This release has many of the major new features we wanted to<br>
add to the industry, but certainly not all. We intend to get this base<br>
engine out and stable, and then continue to add new features. We expect<br>
several new releases in the month of January culminating in a production<br>
quality release shortly thereafter.<br>
<br>
The engine and the HTP Library are available here:<br>
<a href="http://www.openinfosecfoundation.org/index.php/download-suricata" target="_blank">http://www.openinfosecfoundation.org/index.php/download-suricata</a><br>
<br>
Please join the oisf-users mailing list to discuss and share feedback.<br>
The developers will be there ready to help you test.<br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
<br>
As this is a first release we don't really have a "what's New" section<br>
because everything is new. But we do have a number of new ideas and new<br>
concepts to Intrusion Detection to note. Some of those are listed below:<br>
<br>
<br>
<br>
Multi-Threading<br>
Amazing that multi-threading is new to IDS, but it is, and we've got it!<br>
<br>
<br>
Automatic Protocol Detection<br>
The engine not only has keywords for IP, TCP, UDP and ICMP, but also has<br>
HTTP, TLS, FTP and SMB! A user can now write a rule to detect a match<br>
within an HTTP stream for example regardless of the port the stream<br>
occurs on. This is going to revolutionize malware detection and control.<br>
Detections for more layer 7 protocols are on the way.<br>
<br>
<br>
Gzip Decompression<br>
The HTP Parser will decode Gzip compressed streams, allowing much more<br>
detailed matching within the engine.<br>
<br>
<br>
Independent HTP Library<br>
The HTP Parser will be of great use to many other applications such as<br>
proxies, filters, etc. The parser is available as a library also under<br>
GPLv2 for easy integration ito other tools.<br>
<br>
<br>
Standard Input Methods<br>
You can use NFQueue, IPFRing, and the standard LibPcap to capture<br>
traffic. IPFW support coming shortly.<br>
<br>
<br>
Unified2 Output<br>
You can use your standard output tools and methods with the new engine,<br>
100% compatible!<br>
<br>
<br>
Flow Variables<br>
It's possible to capture information out of a stream and save that in a<br>
variable which can then be matched again later.<br>
<br>
<br>
Fast IP Matching<br>
The engine will automatically take rules that are IP matches only (such<br>
as the RBN and compromised IP lists at Emerging Threats) and put them<br>
into a special fast matching preprocessor.<br>
<br>
<br>
HTTP Log Module<br>
All HTTP requests can be automatically output into an apache-style log<br>
format file. Very useful for monitoring and logging activity completely<br>
independent of rulesets and matching. Should you need to do so you could<br>
use the engine only as an HTTP logging sniffer.<br>
<br>
<br>
<br>
Coming Very Soon: (Within a few weeks)<br>
<br>
Global Flow Variables<br>
The ability to store more information from a stream or match (actual<br>
data, not just setting a bit), and storing that information for a period<br>
of time. This will make comparing values across many streams and time<br>
possible.<br>
<br>
<br>
Graphics Card Acceleration<br>
Using CUDA and OpenCL we will be able to make use of the massive<br>
processing power of even old graphics cards to accelerate your IDS.<br>
Offloading the very computationally intensive functions of the sensor<br>
will greatly enhance performance.<br>
<br>
<br>
IP Reputation<br>
Hard to summarize in a sentence, but Reputation will allow sensors and<br>
organizations to share intelligence and eliminate many false positives.<br>
<br>
<br>
Windows Binaries<br>
As soon as we have a reasonably stable body of code.<br>
<br>
<br>
<br>
The list could go on and on. Please take a few minutes to download the<br>
engine and try it out and let us know what you think. We're not<br>
comfortable calling it production ready at the moment until we get your<br>
feedback, and we have a few features to complete. We really need your<br>
feedback and input. We intend to put out a series of small releases in<br>
the two to three weeks to come, and then a production ready major<br>
release shortly thereafter. Phase two of our development plan will then<br>
begin where we go after some major new features such as IP Reputation<br>
shortly.<br>
<br>
<a href="http://www.openinfosecfoundation.org" target="_blank">http://www.openinfosecfoundation.org</a><br>
<br>
<br>
----------------------------------------------------<br>
Matthew Jonkman<br>
Emerging Threats<br>
Open Information Security Foundation (OISF)<br>
Phone 765-429-0398<br>
Fax 312-264-0205<br>
<a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
<a href="http://www.openinformationsecurityfoundation.org" target="_blank">http://www.openinformationsecurityfoundation.org</a><br>
----------------------------------------------------<br>
<br>
PGP: <a href="http://www.jonkmans.com/mattjonkman.asc" target="_blank">http://www.jonkmans.com/mattjonkman.asc</a><br>
<br>
------------------------------------------------------------------------------<br>
This SF.Net email is sponsored by the Verizon Developer Community<br>
Take advantage of Verizon's best-in-class app development support<br>
A streamlined, 14 day to market process makes app distribution fast and easy<br>
Join now and get one step closer to millions of Verizon customers<br>
<a href="http://p.sf.net/sfu/verizon-dev2dev" target="_blank">http://p.sf.net/sfu/verizon-dev2dev</a><br>
_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users<br>
Snort-users</a> list archive:<br>
<a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users" target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br>
</blockquote></div><br></div>