quinta-feira, 19 de janeiro de 2012

[Emerging-Sigs] Suricata 1.2 Available!

The OISF development team is proud to announce Suricata 1.2. This release brings HTTP file inspection and extraction and a whole lot more.

Get the new release here:
http://www.openinfosecfoundation.org/download/suricata-1.2.tar.gz

The configuration file has evolved but backward compatibility is provided. We thus encourage you to update your suricata configuration file. Upgrade guidance is provided here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_11_to_Suricata_12

New features

- file name, type inspection and extraction for HTTP
- filename, fileext, filemagic and filestore keywords added
- "file" output for storing extracted files to disk
- file_data keyword support, inspecting normalized, dechunked, decompressed HTTP response body (feature #241)
- new keyword http_server_body, pcre regex /S option
- option to enable/disable core dumping from the suricata.yaml (enabled by default)
- human readable size limit settings in suricata.yaml (bug #333)
- PF_RING bpf support (required PF_RING >= 5.2) (feature #334)
- tos keyword support (feature #364)
- IPFW IPS mode does now support multiple divert sockets
- new IPS running modes, Linux and FreeBSD do now support "worker" and "autofp"
- app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events
- auto detection of checksum offloading per interface (#311)
- urilen options to match on raw or normalised URI (#341)
- flow keyword option "only_stream" and "no_stream"
- unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250)
- http_header and http_raw_header now also inspect HTTP response headers (#389, #397)

Improvements

- general performance improvements
- improved alert accuracy in autofp and single runmodes
- major performance optimizations for the ac-gfbs pattern matcher implementation
- unified2 output fixes
- PF_RING supports privilege dropping now (bug #367)
- improved detection of duplicate signatures
- improved performance in virtual machines (bug #382)
- PCRE-JIT is now enabled by default if available (#356)
- flowbits and flowints are now modified in a post-match action list
- bundled libhtp updated to 0.2.7
- fixed parsing really high sid numbers >2 Billion (#393)
- fixed ICMPv6 not matching in IP-only sigs (#363)

Fixes since 1.2rc1

- improved Windows/CYGWIN path handling (#387)
- fixed some issues with passing an interface or ip address with -i
- make live worker runmode threads adhere to the 'detect' cpu affinity settings

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See http://redmine.openinfosecfoundation.org/projects/suricata/issues for an up to date list and to report new issues.

See http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues
for a discussion and time line for the major issues.


Happy Detection!

Rodrigo Montoro