[Oisf-users] Call for testing: Suricata 4.1rc2 released

F.Tremblay fcourrier at gmail.com
Thu Oct 18 16:34:13 UTC 2018


>From RC1 to RC2 the JA3 Hashing changed. Take a simple Firefox and the JA3
Hash from RC1 to RC2 changed while the application havent. Very easy to

So its either Suricata doesnt extrack the info from the strings like the
Salesforce method, or the TLS engine manipulate the JAE-strings, like a
proxy or a simple bug where not all the strings are taken into account.

Protocol havent changed, still TLS 1.2 (771)



On Tue, Oct 16, 2018 at 7:49 AM Victor Julien <victor at inliniac.net> wrote:

> Suricata 4.1rc2 is ready for testing. We're hoping that this will be the
> final release candidate so that 4.1 can be released just before Suricon
> next month.
> Main new features are inclusion of the protocols SMBv1/2/3, NFSv4,
> Kerberos,FTP, DHCP, IKEv2, as well as improvements on Linux capture side
> via AF_PACKET XDP support and on Windows IPS side via WinDivert. The
> growth of Rust usage inside Suricata continues as most of the new
> protocols have been implemented in Rust.
> Most important change for going from RC1 to RC2 is that we have enabled
> Rust support by default. If Rust is installed, it will be used.
> Get the release here:
> https://www.openinfosecfoundation.org/download/suricata-4.1.0-rc2.tar.gz
> *Protocol updates*
> SMBv1/2/3 parsing, logging, file extraction
> TLS 1.3 parsing and logging (Mats Klepsland)
> JA3 TLS client fingerprinting (Mats Klepsland)
> TFTP: basic logging (Pascal Delalande and Clément Galland)
> FTP: file extraction
> Kerberos parser and logger (Pierre Chifflier)
> IKEv2 parser and logger (Pierre Chifflier)
> DHCP parser and logger
> Flow tracking for ICMPv4
> Initial NFS4 support
> HTTP: handle sessions that only have a response, or start with a response
> HTTP Flash file decompression support (Giuseppe Longo)
> *Output and logging*
> File extraction v2: deduplication; hash-based naming; json metadata and
> cleanup tooling
> Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
> Eve: new more compact DNS record format (Giuseppe Longo)
> Pcap directory mode: process all pcaps in a directory (Danny Browning)
> Compressed PCAP logging (Max Fillinger)
> Expanded XFF support (Maurizio Abba)
> Community Flow Id support (common ID between Suricata and Bro/Zeek)
> *Packet Capture*
> AF_PACKET XDP and eBPF support for high speed packet capture
> Windows IPS: WinDivert support (Jacob Masen-Smith)
> *Misc*
> Windows: MinGW is now supported
> Detect: transformation keyword support
> Bundled Suricata-Update
> Per device multi-tenancy
> *Major changes since 4.1rc1*
> Rust support is enabled by default
> Community Flow Id support (common ID between Suricata and Bro/Zeek)
> Updates and fixes for dealing with SegmentSmack/FragmentSmack
> Update Suricata-Update to 1.0.0rc2
> *Get paid to work on Suricata!*
> Enjoying the testing? Or want to help out with other parts of the project?
> We are looking for people, so reach out to us if you're interested.
> *Special thanks*
> Mats Klepsland, Jason Taylor, Maurizio Abba, Konstantin Klinger,
> Giuseppe Longo, Danny Browning, Hilko Bengen, Jacob Masen-Smith, Pascal
> Delalande, Travis Green, Christian Kreibich
> *Trainings*
> Check out the latest training offerings at
> https://suricata-ids.org/training/
> *SuriCon*
> SuriCon 2018 Vancouver next month, you can still join!
> https://suricon.net/agenda-vancouver/
> *About Suricata*
> Suricata is a high performance Network Threat Detection, IDS, IPS and
> Network Security Monitoring engine. Open Source and owned by a community
> run non-profit foundation, the Open Information Security Foundation
> (OISF). Suricata is developed by the OISF, its supporting vendors and
> the community.
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181018/8f30a009/attachment.html>

More information about the Oisf-users mailing list