[Oisf-users] Suricata 3.1 released!

Sun Jun 26 07:28:49 UTC 2016

On Wed, Jun 22, 2016 at 12:34 PM, Nikita K. <ee-berry at yandex.ru> wrote:
> Julien, thanks for impressive update
>
> I have a few production deployments of Suricata and noticed a significant
> problem after update on a couple of them.
>
> The problem is that all IP-based rules constantly alert like this:
>
> {"timestamp":"2016-06-21T16:24:00.033224+0300","alert":{"action":"allowed","gid":1,"signature_id":2404014,"rev":4267,"signature":"CNC
> Shadowserver Reported CnC Server IP group
> 13","category":"reported-bad-ip","severity":2}}
>
> {"timestamp":"2016-06-21T16:24:00.033224+0300","alert":{"action":"allowed","gid":1,"signature_id":2404014,"rev":4267,"signature":"CNC
> Shadowserver Reported CnC Server IP group
> 14","category":"reported-bad-ip","severity":2}}
>
> {"timestamp":"2016-06-21T16:24:00.033224+0300","alert":{"action":"allowed","gid":1,"signature_id":2404014,"rev":4267,"signature":"CNC
> Shadowserver Reported CnC Server IP group
> 15","category":"reported-bad-ip","severity":2}}
>
> And so on. I tried disabling these "Reported CnC" rules, but there are many
> of such rules and obviously it's not a w\o. I also noticed, that always only
> 15 IP-based rules are alerting. Disabling one group of rules cause another
> rules to alert, and it's always 15 of them.
>
> Same ruleset, same environment,on 3.01 there's no such problem.
>
>

Nikita,

Can you lease open a bug report so we can truck this.
Please describe a reproducible case in detail  - so we can analyze this better.

Thank you

>
>
>
> ---------- Original message ---------
> From: Victor Julien <lists at inliniac.net>
> Date: пн, 20 июн. 2016 г. в 14:12
> Subject: [Oisf-users] Suricata 3.1 released!
> To: oisf-users at openinfosecfoundation.org
> <oisf-users at openinfosecfoundation.org>
>
>
> We're proud to announce *Suricata 3.1*.
>
> This release brings significant improvements on the performance side:
> - Hyperscan integration for Multi Pattern Matcher and Single Pattern
>   Matcher. If installed, Hyperscan is now the default.
> - Rewrite of the detection engine, simplifying rule grouping. This
>   improves performance, while reducing memory usage and startup time
>   in many scenarios.
>
> Packet capture got a lot of attention:
> - AF_PACKET support for tpacket-v3 (experimental)
> - NETMAP usability improvements, especially on FreeBSD
>
> Config:
> - Reorganised default configuration layout provides for intuitive
>   and easy set up.
>
> This release also comes with libhtp 0.5.20, in which we address a number
> of issues Steffen Ullrich of HTTP Evader reported.
>
> A new keyword ‘tls_sni’ was added, including MPM support. It allows
> matching on the TLS SNI field.
>
> Other than that, lots of cleanups and optimizations:
> - locking has been much simplified
> - TCP and IPv6 decoder optimizations
> - unittest cleanups
> - AFL fuzz testing options were added
>
> Have a look at the full changelog:
> https://github.com/inliniac/suricata/blob/0e9134930d4840de49295d65a5a2e7c81dd103ee/ChangeLog
>
>
> *Changes since 3.1RC1*
>
> - AF_PACKETv2 is the default as v3 is still experimental.
> - NFQ runmode workers was fixed.
>
> Get the release here:
> http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz
>
>
> *Upgrading*
>
> See
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_30_to_Suricata_31
> for some info on upgrading to 3.1.
>
>
> *Special thanks*
>
> Intel Corporation, FireEye, Stamus Networks, NorCert, ANSSI,
> AFL project, CoverityScan
>
> Mats Klepsland, Andreas Moe, Justin Viiret, Zachary Rasmor
> Aleksey Katargin, Alexander Gozman, Arturo Borrero Gonzalez
> David Diallo, Torgeir Natvig, Steffen Ullrich
>
>
> *Known issues & missing features*
>
> In a release candidate like this things may not be as polished yet. So
> please handle with care. That said, if you encounter issues, please let
> us know! As always, we are doing our best to make you aware of
> continuing development and items within the engine that are not yet
> complete or optimal. With this in mind, please notice the list we have
> included of known items we are working on.
>
> See http://redmine.openinfosecfoundation.org/projects/suricata/issues
> for an up to date list and to report new issues. See
> http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_is
> sues for a discussion and time line for the major issues.
>
>
> *SuriCon 2.0*
>
> Join us in Washington, D.C. November 9-11 for the 2nd Suricata User
> Conference. http://suricon.net/
>
>
> *Training & Support*
>
> Need help installing, updating, validating and tuning Suricata? We have
> trainings coming up. September 12-16 in Paris, November 7 & 8 in
> Washington, D.C.: see http://suricata-ids.org/training/
>
> For support options also see http://suricata-ids.org/support/
>
>
> *About Suricata*
>
> Suricata is a high performance Network Threat Detection, IDS, IPS and
> Network Security Monitoring engine. Open Source and owned by a community
> run non-profit foundation, the Open Information Security Foundation
> (OISF). Suricata is developed by the OISF, its supporting vendors and
> the community.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
> --
> Nikita Kislitsin
> Head of Network Security Department
> Group-IB
> +7 (495) 984-33-64 ext. 137
> +7 (903) 791-65-28
> kislitsin at group-ib.com
> www.group-ib.com
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net

-- 
Regards,
Peter Manev