<div>Julien, thanks for impressive update</div><div> </div><div>I have a few production deployments of Suricata and noticed a significant problem after update on a couple of them.</div><div> </div><div>The problem is that all IP-based rules constantly alert like this:</div><div><p><span>{"timestamp":"2016-06-21T16:24:00.033224+0300","alert":{"action":"allowed","gid":1,"signature_id":2404014,"rev":4267,"signature":"CNC Shadowserver Reported CnC Server IP group 13","category":"reported-bad-ip","severity":2}}</span></p><p><span></span><span>{"timestamp":"2016-06-21T16:24:00.033224+0300","alert":{"action":"allowed","gid":1,"signature_id":2404014,"rev":4267,"signature":"CNC Shadowserver Reported CnC Server IP group 14","category":"reported-bad-ip","severity":2}}</span></p><p><span>{"timestamp":"2016-06-21T16:24:00.033224+0300","alert":{"action":"allowed","gid":1,"signature_id":2404014,"rev":4267,"signature":"CNC Shadowserver Reported CnC Server IP group 15","category":"reported-bad-ip","severity":2}}</span></p></div><div>And so on. I tried disabling these "Reported CnC" rules, but there are many of such rules and obviously it's not a w\o. I also noticed, that always only 15 IP-based rules are alerting. Disabling one group of rules cause another rules to alert, and it's always 15 of them.</div><div> </div><div>Same ruleset, same environment,on 3.01 there's no such problem.</div><div> </div><div> </div><div> </div><blockquote type="cite"><div><br /><div><div>---------- Original message ---------<br />From: Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>><br />Date: пн, 20 июн. 2016 г. в 14:12<br />Subject: [Oisf-users] Suricata 3.1 released!<br />To: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a> <<a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>></div><br /><br />We're proud to announce *Suricata 3.1*.<br /> <br /> This release brings significant improvements on the performance side:<br /> - Hyperscan integration for Multi Pattern Matcher and Single Pattern<br />   Matcher. If installed, Hyperscan is now the default.<br /> - Rewrite of the detection engine, simplifying rule grouping. This<br />   improves performance, while reducing memory usage and startup time<br />   in many scenarios.<br /> <br /> Packet capture got a lot of attention:<br /> - AF_PACKET support for tpacket-v3 (experimental)<br /> - NETMAP usability improvements, especially on FreeBSD<br /> <br /> Config:<br /> - Reorganised default configuration layout provides for intuitive<br />   and easy set up.<br /> <br /> This release also comes with libhtp 0.5.20, in which we address a number<br /> of issues Steffen Ullrich of HTTP Evader reported.<br /> <br /> A new keyword ‘tls_sni’ was added, including MPM support. It allows<br /> matching on the TLS SNI field.<br /> <br /> Other than that, lots of cleanups and optimizations:<br /> - locking has been much simplified<br /> - TCP and IPv6 decoder optimizations<br /> - unittest cleanups<br /> - AFL fuzz testing options were added<br /> <br /> Have a look at the full changelog:<br /> <a href="https://github.com/inliniac/suricata/blob/0e9134930d4840de49295d65a5a2e7c81dd103ee/ChangeLog" target="_blank">https://github.com/inliniac/suricata/blob/0e9134930d4840de49295d65a5a2e7c81dd103ee/ChangeLog</a><br /> <br /> <br /> *Changes since 3.1RC1*<br /> <br /> - AF_PACKETv2 is the default as v3 is still experimental.<br /> - NFQ runmode workers was fixed.<br /> <br /> Get the release here:<br /> <a href="http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz" target="_blank">http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz</a><br /> <br /> <br /> *Upgrading*<br /> <br /> See<br /> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_30_to_Suricata_31" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_30_to_Suricata_31</a><br /> for some info on upgrading to 3.1.<br /> <br /> <br /> *Special thanks*<br /> <br /> Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,<br /> AFL project, CoverityScan<br /> <br /> Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor<br /> Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez<br /> David Diallo, Torgeir Natvig, Steffen Ullrich<br /> <br /> <br /> *Known issues & missing features*<br /> <br /> In a release candidate like this things may not be as polished yet. So<br /> please handle with care. That said, if you encounter issues, please let<br /> us know! As always, we are doing our best to make you aware of<br /> continuing development and items within the engine that are not yet<br /> complete or optimal. With this in mind, please notice the list we have<br /> included of known items we are working on.<br /> <br /> See <a href="http://redmine.openinfosecfoundation.org/projects/suricata/issues" target="_blank">http://redmine.openinfosecfoundation.org/projects/suricata/issues</a><br /> for an up to date list and to report new issues. See<br /> <a href="http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_is" target="_blank">http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_is</a><br /> sues for a discussion and time line for the major issues.<br /> <br /> <br /> *SuriCon 2.0*<br /> <br /> Join us in Washington, D.C. November 9-11 for the 2nd Suricata User<br /> Conference. <a href="http://suricon.net/" target="_blank">http://suricon.net/</a><br /> <br /> <br /> *Training & Support*<br /> <br /> Need help installing, updating, validating and tuning Suricata? We have<br /> trainings coming up. September 12-16 in Paris, November 7 & 8 in<br /> Washington, D.C.: see <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br /> <br /> For support options also see <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br /> <br /> <br /> *About Suricata*<br /> <br /> Suricata is a high performance Network Threat Detection, IDS, IPS and<br /> Network Security Monitoring engine. Open Source and owned by a community<br /> run non-profit foundation, the Open Information Security Foundation<br /> (OISF). Suricata is developed by the OISF, its supporting vendors and<br /> the community.<br /> <br /> --<br /> ---------------------------------------------<br /> Victor Julien<br /> <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br /> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br /> ---------------------------------------------<br /> <br /> _______________________________________________<br /> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br /> Site: <a href="http://suricata-ids.org/" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br /> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br /> Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net/" target="_blank">http://oisfevents.net</a></div></div><div>-- </div><div data-smartmail="gmail_signature"><div><font color="#000000"><span>Nikita Kislitsin</span><br /></font><div><span>Head of Network Security Department</span><font color="#000000"><br /></font></div><font color="#000000">Group-IB</font><br /><font face="sans-serif"><span>+7 (495) </span><span><span>984-33-64</span></span><span> ext. 137</span></font><br /><font face="sans-serif"><span><u></u><span>+7 (903) 791-65-28</span><u></u></span></font><br /><a href="mailto:kislitsin@group-ib.com">kislitsin@group-ib.com</a><br /><a href="http://www.group-ib.com/">www.group-ib.com</a><font face="sans-serif"><span> </span></font></div></div></blockquote>