Suricata v5.0.2 & v4.1.7 releases: network IDS, IPS and NSM engine
What is Suricata
The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry but will bring new ideas and technologies to the field. The Suricata Engine and the HTP Library are available to use under the GPLv2.
Suricata is a rule-based ID/PS engine that utilizes externally developed rule sets to monitor network traffic and provide alerts to the system administrator when suspicious events occur. Designed to be compatible with existing network security components, Suricata features unified output functionality and pluggable library options to accept calls from other applications.
The initial release of Suricata runs on a Linux 2.6 platform that supports inline and passive traffic monitoring configuration capable of handling multiple gigabit traffic levels. Linux 2.4 is supported with reduced configuration functionality, such as no inline option.
Available under Version 2 of the General Public License, Suricata eliminates the ID/PS engine cost concerns while providing a scalable option for the most complex network security architectures.
As a multi-threaded engine, Suricata offers increased speed and efficiency in network traffic analysis. In addition to hardware acceleration (with hardware and network card limitations), the engine is built to utilize the increased processing power offered by the latest multi-core CPU chipsets. Suricata is developed for ease of implementation and accompanied by a step-by-step getting started documentation and user manual.
Suricata is a complex piece of software dealing with mostly untrusted input. Mishandling this input will have serious consequences:
- in IPS mode a crash may knock a network offline;
- in passive mode a compromise of the IDS may lead to loss of critical and confidential data;
- missed detection may lead to undetected compromise of the network.
rusted devs and core team members are able to submit builds to our (semi) public Buildbot instance. It will run a series of build tests and a regression suite to confirm no existing features break.
The final QA run takes a few hours minimally and is started by Victor. It currently runs:
- extensive build tests on different OS’, compilers, optimization levels, configure features
- static code analysis using cppcheck, scan-build
- runtime code analysis using Valgrind, DrMemory, AddressSanitizer, LeakSanitizer
- regression tests for past bugs
- output validation of logging
- UNIX socket testing
- pcap based fuzz testing using ASAN and LSAN
Next to these tests, based on the type of code change further tests can be run manually:
- traffic replay testing (multi-gigabit)
- large pcap collection processing (multi-terabytes)
- AFL based fuzz testing (might take multiple days or even weeks)
- pcap based performance testing
- live performance testing
- various other manual tests based on an evaluation of the proposed changes
- Bug #2993: Suricata 5.0.0beta1 memory allocation of 4294966034 bytes failed
- Bug #3380: Segfault when using multi-detect
- Bug #3400: smb: post-GAP file tx handling
- Bug #3424: nfs: post-GAP some transactions never close
- Bug #3425: nfs: post-GAP file tx handling
- Bug #3433: coverity: CID 1456679: Memory – corruptions (NEGATIVE_RETURNS)
- Bug #3434: coverity: CID 1456680: Incorrect expression (IDENTICAL_BRANCHES)
- Bug #3469: gcc10: compilation failure unless -fcommon is supplied (5.0.x)
- Bug #3473: Dropping privileges does not work with NFLOG (5.0.x)
- Documentation #3423: readthedocs shows title of documentation as “Suricata unknown documentation”
- Bug #3417: –disable-geoip does not work (4.1.x)
- Bug #3448: Suricata 4.1 Seg Fault: Socket Control pcap-file and corrupt pcap
- Bug #3452: smb: post-GAP file tx handling (4.1.x)
- Bug #3453: coverity: CID 1456680: Incorrect expression (IDENTICAL_BRANCHES) (4.1.x)
- Bug #3470: gcc10: compilation failure unless -fcommon is supplied (4.1.x)
- Bug #3471: nfs: post-GAP some transactions never close (4.1.x)
- Bug #3472: nfs: post-GAP file tx handling (4.1.x)
- Bug #3474: Dropping privileges does not work with NFLOG (4.1.x)
Copyright 2016, OISF