[Discussion] [Snort-users] Suricata IDS Available for Download!

Thu Dec 31 20:42:04 UTC 2009

Congrats to Matt Jonkman and the team at OISF.  It's a big step, and I look
forward to seeing your work (after then new year :))

Matt

On Thu, Dec 31, 2009 at 3:11 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> Full Announcement here:
> http://www.openinfosecfoundation.org/
>
>
> It's been about three years in the making, but the day has finally come!
> We have the first release of the Suricata Engine! The engine is an Open
> Source Next Generation Intrusion Detection and Prevention Tool, not
> intended to just replace or emulate the existing tools in the industry,
> but to bring new ideas and technologies to the field.
>
> The Suricata Engine and the HTP Library are available to use under the
> GPLv2.
>
> The HTP Library is an HTTP normalizer and parser written by Ivan Ristic
> of Mod Security fame for the OISF. This integrates and provides very
> advanced processing of HTTP streams for Suricata. The HTP library is
> required by the engine, but may also be used independently in a range of
> applications and tools.
>
> This is considered a Beta Release as we are seeking feedback from the
> community. This release has many of the major new features we wanted to
> add to the industry, but certainly not all. We intend to get this base
> engine out and stable, and then continue to add new features. We expect
> several new releases in the month of January culminating in a production
> quality release shortly thereafter.
>
> The engine and the HTP Library are available here:
> http://www.openinfosecfoundation.org/index.php/download-suricata
>
> Please join the oisf-users mailing list to discuss and share feedback.
> The developers will be there ready to help you test.
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> As this is a first release we don't really have a "what's New" section
> because everything is new. But we do have a number of new ideas and new
> concepts to Intrusion Detection to note. Some of those are listed below:
>
>
>
> Multi-Threading
> Amazing that multi-threading is new to IDS, but it is, and we've got it!
>
>
> Automatic Protocol Detection
> The engine not only has keywords for IP, TCP, UDP and ICMP, but also has
> HTTP, TLS, FTP and SMB! A user can now write a rule to detect a match
> within an HTTP stream for example regardless of the port the stream
> occurs on. This is going to revolutionize malware detection and control.
> Detections for more layer 7 protocols are on the way.
>
>
> Gzip Decompression
> The HTP Parser will decode Gzip compressed streams, allowing much more
> detailed matching within the engine.
>
>
> Independent HTP Library
> The HTP Parser will be of great use to many other applications such as
> proxies, filters, etc. The parser is available as a library also under
> GPLv2 for easy integration ito other tools.
>
>
> Standard Input Methods
> You can use NFQueue, IPFRing, and the standard LibPcap to capture
> traffic. IPFW support coming shortly.
>
>
> Unified2 Output
> You can use your standard output tools and methods with the new engine,
> 100% compatible!
>
>
> Flow Variables
> It's possible to capture information out of a stream and save that in a
> variable which can then be matched again later.
>
>
> Fast IP Matching
> The engine will automatically take rules that are IP matches only (such
> as the RBN and compromised IP lists at Emerging Threats) and put them
> into a special fast matching preprocessor.
>
>
> HTTP Log Module
> All HTTP requests can be automatically output into an apache-style log
> format file. Very useful for monitoring and logging activity completely
> independent of rulesets and matching. Should you need to do so you could
> use the engine only as an HTTP logging sniffer.
>
>
>
> Coming Very Soon: (Within a few weeks)
>
> Global Flow Variables
> The ability to store more information from a stream or match (actual
> data, not just setting a bit), and storing that information for a period
> of time. This will make comparing values across many streams and time
> possible.
>
>
> Graphics Card Acceleration
> Using CUDA and OpenCL we will be able to make use of the massive
> processing power of even old graphics cards to accelerate your IDS.
> Offloading the very computationally intensive functions of the sensor
> will greatly enhance performance.
>
>
> IP Reputation
> Hard to summarize in a sentence, but Reputation will allow sensors and
> organizations to share intelligence and eliminate many false positives.
>
>
> Windows Binaries
> As soon as we have a reasonably stable body of code.
>
>
>
> The list could go on and on. Please take a few minutes to download the
> engine and try it out and let us know what you think. We're not
> comfortable calling it production ready at the moment until we get your
> feedback, and we have a few features to complete. We really need your
> feedback and input. We intend to put out a series of small releases in
> the two to three weeks to come, and then a production ready major
> release shortly thereafter. Phase two of our development plan will then
> begin where we go after some major new features such as IP Reputation
> shortly.
>
> http://www.openinfosecfoundation.org
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and
> easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20091231/80217041/attachment-0001.html