SuricataThe Open Information Security Foundation (OISF) is a non-profit foundation organized to build a next generation IDS/IPS engine.  The OISF has formed a multi-national group of the leading software developers in the security industry.  In addition to developers and a consortium consisting of leading cyber security companies, OISF has engaged the open source security community to identify current and future IDS/IPS needs and desires. 

OISF’s primary goal is to remain on the leading edge of open source IDS/IPS development, community needs and objectives.  This is only attainable if you, the community, get involved.  We welcome participation large and small and have built working groups and mailing lists to engage and educate all interested people and organizations.

Funding for the OISF comes from the US Department of Homeland Security (DHS) and a number of private companies that form the OISF Consortium. These companies gain a non-gpl limited license for the engine in return for their ongoing support. Over time, OISF will take on new projects and challenges.  Future OISF project proposals are welcome and should be submitted in summary form using the ‘Contact Us’ link above.

Thank you for visiting OISF!

Get Involved

get involved
• Organizations
Companies
Individuals
• Developers

Click here to find out how you can get involved!

Join the Mailing List

openinfosecfoundationReceive all of the latest Open Information Security Foundation updates directly.
Sign up here.

OISF Store

Suricata Logo

Wear your support on your sleeve! Check OISF's New Gear and support the project!

The Open Information Security Foundation

Suricata Development Meeting Update!

Print
PDF

The OISF Team conducted a major development and planning session the last week of February in preparation for the next phase of Suricata Development. We have made some incredible progress in a very short time and much of that progress is due to the great feedback and testing we receive from the community. We are extremely grateful for the support both from individuals and large corporations who are putting the engine to the test in their environments. The amount of code and and patches flowing in has been very exciting and we have progressed farther and faster than our expectations!


We are still in Phase One of our development plan and we are officially announcing a feature freeze and release date for a final phase one production ready engine!


The feature freeze is now in effect for Phase One. We will have a Phase One Release Candidate available for testing on Monday May 3rd, 2010. We will then release the final production ready Phase One engine on July 1st, 2010.


In addition to what Suricata does so well now, the following additional features will be made available with this production release:


Complete Snort Syntax and Keyword Support (A few details to finalize, yet we will support 2.8.5 and prior syntax)

SMB Preprocessor Completion (Features such as request logging, etc)

Complete LibHTP Integration, and added keywords to make use of those capabilities

Complete Documentation of the Engine, Configuration, and Tuning

Configurable Run Modes will be available

CUDA GPU Acceleration Support as an Experimental Feature

Fully tested Windows Binaries will be available

Basic Performance Statistics Available (Very advanced statistics will be made available in Phase Two)

Detailed Error Codes and associated Documentation

Local IP Reputation Support and GeoIP capabilities (Distributed Reputation functionality to be released in Phase Two)


Included in this cycle will be some major internal performance tuning.  We are learning a lot with the multi-threaded nature of this engine, and it’s being tested on some incredibly high speed links. Throughput rates are very impressive, but we're seeing where we can make it even better!


The above features are in addition to what Suricata is already doing well. As a reminder, some of the more exciting features already functional and in the current release are:


Multi-Threading

Native IPv6 Support

FlowInts

HTTP logging

LibHTP from Ivan Ristic

Mac OS X & FreeBSD inline


And many more...


Further announcements will be made in the near future including the new features we are targeting for Phase Two, upcoming brainstorming meetings near you, and some new ancillary projects. So stay tuned, and thanks for supporting the Foundation, this is a community project and we are proud to be a part of it!

Please Stay Tuned! And keep the feedback and patches coming!

Phase Two Planning Meeting

Print
PDF

Next week the Suricata Dev Team is getting together in Istanbul to plan our Phase Two objectives, do some research and feature planning, talk to a few experts, and generally brainstorm our next steps. This isn't planned to be a large public meeting as the last one in DC was, but anyone that's near is more than welcome to attend. (We are planning another public meeting soon, funds permitting)

 If you have things you want us to put on the agenda to discuss please bring them up on the mailing lists, or directly with a team member. We'll put out notes of the meeting as we go through the week to keep everyone involved. Any discussions on the lists will go straight into the meetings as well. We'll have a final set of notes and plans available after the meeting as well.



Suricata 0.8.1 Released!

Print
PDF

We're proud to announce that a new version of the Suricata Engine is available for download! There are some major changes and very significant improvements, we ask that you give this a try, we welcome your feedback and patches!

 

Suricata 0.8.1 brings the following new features:

 

- the engine will now detect the number of cpu's/core's and setup the engine to use them fully

- libhtp is now included in the source

- experimental CUDA support for NVIDIA GPU accelerated pattern matching

- initial support for Win32 (using mingw) was added

- FreeBSD/Mac OS X IPFW inline support was added

- many options in the configuration file for performance tuning

- VLAN decoding support was added

- Prelude output support

 

Major issues fixed & improvements made:

- threading issues in the unified1 and unified2 logging modules

- major stream engine issues were solved

- uricontent, urilen inspection is now done against the libhtp parsed uri

- ip only signature detection fixes in inline mode

- add the /P (request body) option to the pcre keyword

- many SMB, SMB2 and DCERPC improvements

- logging is more configurable

- pcap and pfring modes support for bpf was added

- many bugs were fixed, cleanups were made

 

Known issues:

- Some signatures fail to load because of missing keywords or keyword options

- We have identified some serious performance issues with certain signatures and traffic combinations

- Although we improved big endian support, there are still some issues

- CUDA code is expected to work only on 32bit and probably doesn't speed things up yet as we will need further redsign to fully benefit


 

Luca Deri becomes Part of the Suricata Dev Team

Print
PDF

We're happy to announce that Luca Deri has joined the OISF Development Team. You probably know of Luca form his work on NTOP (http://www.ntop.org), but most relevantly he's the lead of the PF_Ring project. PF_Ring is a critical element of any IDS system, and he's on board to make Suricata the best platform available!

 

More about PF_Ring here:

http://www.ntop.org/PF_RING.html

 

 

New Features Series: Flowint

Print
PDF
We have a great number of new features coming out with Suricata. Many are already there so we want to start talking about them and making everyone aware. To be clear though, Suricata supports all of the current rule syntax directives. We're just adding new to accommodate the new features we're building.
 
The first one I'd like to bring to your attention is Flowint. This is a precursor to the Global Variables task we have due very soon, which will allow the capture, storage and comparison of data in a variable. Cool, yes. But it's not just for the stream, it'll be as the name implies Global. So you can compare data from packets in unrelated streams. More on that when it's ready, probably around February 2010.

Flowint allows storage and mathematical operations using variables. It operates much like flowbits but with the addition of mathematical capabilities and the fact that an integer can be stored and manipulated, not just a flag set. We can use this for a number of very useful things, such as counting occurrences, adding or subtracting occurrences, or doing thresholding within a stream in relation to multiple factors. This will be expanded to a global context very soon so we can do these operations between streams. More on that when it's in there!
 
 
 
The syntax is as follows:

 

flowint: , ;

Define a var (not required), or check that one is set or not set. 

 

flowint: , , ; 
flowint: , < +,-,=,>,<,>=,<=,==, != >, ;

Compare or alter a var. Add, subtract, compare greater than or less than, greater than or equal to, and less than or equal to are available. The item to compare with can be an integer or another variable.

 

 

For example, lets say we want to count how many times a username is seen in a particular stream and alert if it's over 5. 
 
alert tcp any any -> any any (msg:"Counting Usernames"; content:"jonkman"; \
flowint: usernamecount, +, 1; flowint:noalert;)
This will count each occurrence and increment the var usernamecount and not generate an alert for each. 
 
Now say we want to generate an alert if there are more than five hits in the stream. 
 
alert tcp any any -> any any (msg:"More than Five Usernames!"; content:"jonkman"; \
flowint: usernamecount, +, 1; flowint:usernamecount, >, 5;) 
So we'll get an alert ONLY if usernamecount is over five.  
 
So now lets say we want to get an alert as above but NOT if there have been more occurences of that username logging out. Assuming this particular protocol indicates a log out with "jonkman logout", lets try:
 
alert tcp any any -> any any (msg:"Username Logged out"; content:"logout jonkman"; \
flowint: usernamecount, -, 1; flowint:usernamecount, >, 5;) 
So now we'll get an alert ONLY if there are more than five active logins for this particular username. 
 
This is a rather simplistic example, but I believe it shows the power of what such a simple function can do for rule writing. I see a lot of applications in things like login tracking, IRC state machines, malware tracking, and brute force login detection. 
 
 
Lets say we're tracking a protocol that normally allows five login fails per connection, but we have a vulnerability where an attacker can continue to login after that five attempts, and we need to know about it. 
 
alert tcp any any -> any any (msg:"Start a login count"; content:"login failed"; \
flowint:loginfail, notset; flowint:loginfail, =, 1; flowint:noalert;) 
So we detect the initial fail if the variable is not yet set and set it to 1 if so. Our first hit. 
 
alert tcp any any -> any any (msg:"Counting Logins"; content:"login failed"; \
flowint:loginfail, isset; flowint:loginfail, +, 1; flowint:noalert;) 
We are now incrementing the counter if it's set.
 
alert tcp any any -> any any (msg:"More than Five login fails in a Stream"; content:"login failed"; \
flowint:loginfail, isset; flowint:loginfail, >, 5;) 
Now we'll generate an alert if we cross five login fails in the same stream. 
 
 
But let's also say we also need alert if there are two successful logins and a failed login after that.
 
alert tcp any any -> any any (msg:"Counting Good Logins"; content:"login successful"; \
flowint:loginsuccess, +, 1; flowint:noalert;)  
 
Here we're counting good logins, so now we'll count good logins relevant to fails:
  
alert tcp any any -> any any (msg:"Login fail after two successes"; content:"login failed"; \
flowint:loginsuccess, isset; flowint:loginsuccess, =, 2;) 
 
 
 
Here are some other general examples: 
 
alert tcp any any -> any any (msg:"Setting a flowint counter"; content:"GET"; \
flowint:myvar, notset; flowint:maxvar,notset; flowint:myvar,=,1; flowint: maxvar,=,6;)

alert tcp any any -> any any (msg:"Adding to flowint counter"; content:"Unauthorized"; \
flowint:myvar,isset; flowint: myvar,+,2;)

alert tcp any any -> any any (msg:"if the flowint counter is 3 create a new counter"; content:"Unauthorized"; \
flowint:myvar, isset; flowint:myvar,==,3; flowint:cntpackets,notset; flowint:cntpackets, =, 0;)

alert tcp any any -> any any (msg:"and count the rest of the packets received without generating alerts!!!"; \
flowint:cntpackets,isset; flowint:cntpackets, +, 1; flowint:noalert;)

alert tcp any any -> any any (msg:" and fire this when it reach 6"; flowint: cntpackets, isset; \
flowint: maxvar,isset; flowint: cntpackets, ==, maxvar;)
 
 
 
 

More Articles...

Login



Navigation

Donate

OISF Events

05-01-2010 - 05-08-2010
Meeting in San Francisco

05-03-2010
RC 1 Release

06-21-2010 - 06-24-2010
FISL-Brazil

07-01-2010
Phase One Final Release

07-20-2010 - 07-24-2010
OSCON

Find us on Twitter

  • OISF had a great week at RSA! Now back to working on Suricata!

    by OISFoundation Saturday, 06 March 2010 07:56

News Feed

feed-image RSS News Feed

Search