[Oisf-users] Call for testing: Suricata 4.1rc2 released

F.Tremblay fcourrier at gmail.com
Thu Oct 18 23:36:09 UTC 2018


Sure np, Ill send at your gmail the PCAP showing the bug. Tomorow or over
the week-end.

Cheers.

F.

On Thu, Oct 18, 2018 at 3:19 PM Mats Klepsland <mats.klepsland at gmail.com>
wrote:

> Hi.
>
> Thanks for testing the new RC and for reporting this!
>
> This bug is probably related to the TLS 1.3 support that was added in
> 4.1rc2. I think I've found the bug, but
> it would be useful to confirm that I'm right.
>
> Any chance that you could reproduce the error, capture a PCAP file, and
> send it to me in an email off
> list? That would really help :)
>
> Thanks again!
>
> Kind regards,
>
> Mats Klepsland
>
>
> On Thu, Oct 18, 2018 at 6:29 PM F.Tremblay <fcourrier at gmail.com> wrote:
>
>> Hello,
>>
>> From RC1 to RC2 the JA3 Hashing changed. Take a simple Firefox and the
>> JA3 Hash from RC1 to RC2 changed while the application havent. Very easy to
>> reproduce.
>>
>> So its either Suricata doesnt extrack the info from the strings like the
>> Salesforce method, or the TLS engine manipulate the JAE-strings, like a
>> proxy or a simple bug where not all the strings are taken into account.
>>
>> Protocol havent changed, still TLS 1.2 (771)
>>
>> Cheers.
>>
>> F.
>>
>> On Tue, Oct 16, 2018 at 7:49 AM Victor Julien <victor at inliniac.net>
>> wrote:
>>
>>> Suricata 4.1rc2 is ready for testing. We're hoping that this will be the
>>> final release candidate so that 4.1 can be released just before Suricon
>>> next month.
>>>
>>> Main new features are inclusion of the protocols SMBv1/2/3, NFSv4,
>>> Kerberos,FTP, DHCP, IKEv2, as well as improvements on Linux capture side
>>> via AF_PACKET XDP support and on Windows IPS side via WinDivert. The
>>> growth of Rust usage inside Suricata continues as most of the new
>>> protocols have been implemented in Rust.
>>>
>>> Most important change for going from RC1 to RC2 is that we have enabled
>>> Rust support by default. If Rust is installed, it will be used.
>>>
>>> Get the release here:
>>> https://www.openinfosecfoundation.org/download/suricata-4.1.0-rc2.tar.gz
>>>
>>>
>>> *Protocol updates*
>>>
>>> SMBv1/2/3 parsing, logging, file extraction
>>> TLS 1.3 parsing and logging (Mats Klepsland)
>>> JA3 TLS client fingerprinting (Mats Klepsland)
>>> TFTP: basic logging (Pascal Delalande and Clément Galland)
>>> FTP: file extraction
>>> Kerberos parser and logger (Pierre Chifflier)
>>> IKEv2 parser and logger (Pierre Chifflier)
>>> DHCP parser and logger
>>> Flow tracking for ICMPv4
>>> Initial NFS4 support
>>> HTTP: handle sessions that only have a response, or start with a response
>>> HTTP Flash file decompression support (Giuseppe Longo)
>>>
>>>
>>> *Output and logging*
>>>
>>> File extraction v2: deduplication; hash-based naming; json metadata and
>>> cleanup tooling
>>> Eve metadata: from rules (metadata keyword) and traffic (flowbits etc)
>>> Eve: new more compact DNS record format (Giuseppe Longo)
>>> Pcap directory mode: process all pcaps in a directory (Danny Browning)
>>> Compressed PCAP logging (Max Fillinger)
>>> Expanded XFF support (Maurizio Abba)
>>> Community Flow Id support (common ID between Suricata and Bro/Zeek)
>>>
>>>
>>> *Packet Capture*
>>>
>>> AF_PACKET XDP and eBPF support for high speed packet capture
>>> Windows IPS: WinDivert support (Jacob Masen-Smith)
>>>
>>>
>>> *Misc*
>>>
>>> Windows: MinGW is now supported
>>> Detect: transformation keyword support
>>> Bundled Suricata-Update
>>> Per device multi-tenancy
>>>
>>>
>>> *Major changes since 4.1rc1*
>>>
>>> Rust support is enabled by default
>>> Community Flow Id support (common ID between Suricata and Bro/Zeek)
>>> Updates and fixes for dealing with SegmentSmack/FragmentSmack
>>> Update Suricata-Update to 1.0.0rc2
>>>
>>>
>>> *Get paid to work on Suricata!*
>>>
>>> Enjoying the testing? Or want to help out with other parts of the
>>> project?
>>> We are looking for people, so reach out to us if you're interested.
>>>
>>>
>>> *Special thanks*
>>>
>>> Mats Klepsland, Jason Taylor, Maurizio Abba, Konstantin Klinger,
>>> Giuseppe Longo, Danny Browning, Hilko Bengen, Jacob Masen-Smith, Pascal
>>> Delalande, Travis Green, Christian Kreibich
>>>
>>>
>>> *Trainings*
>>>
>>> Check out the latest training offerings at
>>> https://suricata-ids.org/training/
>>>
>>>
>>> *SuriCon*
>>>
>>> SuriCon 2018 Vancouver next month, you can still join!
>>> https://suricon.net/agenda-vancouver/
>>>
>>>
>>> *About Suricata*
>>>
>>> Suricata is a high performance Network Threat Detection, IDS, IPS and
>>> Network Security Monitoring engine. Open Source and owned by a community
>>> run non-profit foundation, the Open Information Security Foundation
>>> (OISF). Suricata is developed by the OISF, its supporting vendors and
>>> the community.
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181018/366e13b0/attachment.html>


More information about the Oisf-users mailing list