Emergingthreats
Emerging Threats - Signatures for All!
Updated: 13 min 10 sec ago
OISF Suricata Development Meeting Update
The OISF Team conducted a major development and planning session the last week of February in preparation for the next phase of Suricata Development. We have made some incredible progress in a very short time and much of that progress is due to the great feedback and testing we receive from the community. We are extremely grateful for the support both from individuals and large corporations who are putting the engine to the test in their environments. The amount of code and and patches flowing in has been very exciting and we have progressed farther and faster than our expectations!
We are still in Phase One of our development plan and we are officially announcing a feature freeze and release date for a final phase one production ready engine!
The feature freeze is now in effect for Phase One. We will have a Phase One Release Candidate available for testing on Monday May 3rd, 2010. We will then release the final production ready Phase One engine on July 1st, 2010.
In addition to what Suricata does so well now, the following additional features will be made available with this production release:
Complete Snort Syntax and Keyword Support (A few details to finalize, yet we will support 2.8.5 and prior syntax)
SMB Preprocessor Completion (Features such as request logging, etc)
Complete LibHTP Integration, and added keywords to make use of those capabilities
Complete Documentation of the Engine, Configuration, and Tuning
Configurable Run Modes will be available
CUDA GPU Acceleration Support as an Experimental Feature
Fully tested Windows Binaries will be available
Basic Performance Statistics Available (Very advanced statistics will be made available in Phase Two)
Detailed Error Codes and associated Documentation
Local IP Reputation Support and GeoIP capabilities (Distributed Reputation functionality to be released in Phase Two)
Included in this cycle will be some major internal performance tuning. We are learning a lot with the multi-threaded nature of this engine, and it’s being tested on some incredibly high speed links. Throughput rates are very impressive, but we're seeing where we can make it even better!
The above features are in addition to what Suricata is already doing well. As a reminder, some of the more exciting features already functional and in the current release are:
Multi-Threading
Native IPv6 Support
FlowInts
HTTP logging
LibHTP from Ivan Ristic
Mac OS X & FreeBSD inline
And many more...
Further announcements will be made in the near future including the new features we are targeting for Phase Two, upcoming brainstorming meetings near you, and some new ancillary projects. So stay tuned, and thanks for supporting the Foundation, this is a community project and we are proud to be a part of it!
Please Stay Tuned! And keep the feedback and patches coming!
We are still in Phase One of our development plan and we are officially announcing a feature freeze and release date for a final phase one production ready engine!
The feature freeze is now in effect for Phase One. We will have a Phase One Release Candidate available for testing on Monday May 3rd, 2010. We will then release the final production ready Phase One engine on July 1st, 2010.
In addition to what Suricata does so well now, the following additional features will be made available with this production release:
Complete Snort Syntax and Keyword Support (A few details to finalize, yet we will support 2.8.5 and prior syntax)
SMB Preprocessor Completion (Features such as request logging, etc)
Complete LibHTP Integration, and added keywords to make use of those capabilities
Complete Documentation of the Engine, Configuration, and Tuning
Configurable Run Modes will be available
CUDA GPU Acceleration Support as an Experimental Feature
Fully tested Windows Binaries will be available
Basic Performance Statistics Available (Very advanced statistics will be made available in Phase Two)
Detailed Error Codes and associated Documentation
Local IP Reputation Support and GeoIP capabilities (Distributed Reputation functionality to be released in Phase Two)
Included in this cycle will be some major internal performance tuning. We are learning a lot with the multi-threaded nature of this engine, and it’s being tested on some incredibly high speed links. Throughput rates are very impressive, but we're seeing where we can make it even better!
The above features are in addition to what Suricata is already doing well. As a reminder, some of the more exciting features already functional and in the current release are:
Multi-Threading
Native IPv6 Support
FlowInts
HTTP logging
LibHTP from Ivan Ristic
Mac OS X & FreeBSD inline
And many more...
Further announcements will be made in the near future including the new features we are targeting for Phase Two, upcoming brainstorming meetings near you, and some new ancillary projects. So stay tuned, and thanks for supporting the Foundation, this is a community project and we are proud to be a part of it!
Please Stay Tuned! And keep the feedback and patches coming!
Bothunter 1.5 Released!
One of my favorite projects has a new significant release. Bothunter is an automated bot finding tool. It uses the Emerging Threats signature base, but has a LOT more under the hood. I highly recommend it, we write a lot of signatures based on new threats it identifies first.
Find more info here:
Suricata New Features Series: Flowint
We have a great number of new features coming out with Suricata. Many are already there so we want to start talking about them and making everyone aware. To be clear though, Suricata supports all of the current rule syntax directives. We're just adding new to accommodate the new features we're building. The first one I'd like to bring to your attention is Flowint. This is a precursor to the Global Variables task we have due very soon, which will allow the capture, storage and comparison of data in a variable. Cool, yes. But it's not just for the stream, it'll be as the name implies Global. So you can compare data from packets in unrelated streams. More on that when it's ready, probably around February 2010.
Flowint allows storage and mathematical operations using variables. It operates much like flowbits but with the addition of mathematical capabilities and the fact that an integer can be stored and manipulated, not just a flag set. We can use this for a number of very useful things, such as counting occurrences, adding or subtracting occurrences, or doing thresholding within a stream in relation to multiple factors. This will be expanded to a global context very soon so we can do these operations between streams. More on that when it's in there! The syntax is as follows:
alert tcp any any -> any any (msg:"Adding to flowint counter"; content:"Unauthorized"; \flowint:myvar,isset; flowint: myvar,+,2;)
alert tcp any any -> any any (msg:"if the flowint counter is 3 create a new counter"; content:"Unauthorized"; \flowint:myvar, isset; flowint:myvar,==,3; flowint:cntpackets,notset; flowint:cntpackets, =, 0;)
alert tcp any any -> any any (msg:"and count the rest of the packets received without generating alerts!!!"; \flowint:cntpackets,isset; flowint:cntpackets, +, 1; flowint:noalert;)
alert tcp any any -> any any (msg:" and fire this when it reach 6"; flowint: cntpackets, isset; \flowint: maxvar,isset; flowint: cntpackets, ==, maxvar;)
Flowint allows storage and mathematical operations using variables. It operates much like flowbits but with the addition of mathematical capabilities and the fact that an integer can be stored and manipulated, not just a flag set. We can use this for a number of very useful things, such as counting occurrences, adding or subtracting occurrences, or doing thresholding within a stream in relation to multiple factors. This will be expanded to a global context very soon so we can do these operations between streams. More on that when it's in there! The syntax is as follows:
flowint: , ;
Define a var (not required), or check that one is set or not set.
flowint: , , ; flowint: , < +,-,=,>,<,>=,<=,==, != >, ;
Compare or alter a var. Add, subtract, compare greater than or less than, greater than or equal to, and less than or equal to are available. The item to compare with can be an integer or another variable.
For example, lets say we want to count how many times a username is seen in a particular stream and alert if it's over 5. alert tcp any any -> any any (msg:"Counting Usernames"; content:"jonkman"; \flowint: usernamecount, +, 1; flowint:noalert;)This will count each occurrence and increment the var usernamecount and not generate an alert for each. Now say we want to generate an alert if there are more than five hits in the stream. alert tcp any any -> any any (msg:"More than Five Usernames!"; content:"jonkman"; \flowint: usernamecount, +, 1; flowint:usernamecount, >, 5;) So we'll get an alert ONLY if usernamecount is over five. So now lets say we want to get an alert as above but NOT if there have been more occurences of that username logging out. Assuming this particular protocol indicates a log out with "jonkman logout", lets try: alert tcp any any -> any any (msg:"Username Logged out"; content:"logout jonkman"; \flowint: usernamecount, -, 1; flowint:usernamecount, >, 5;) So now we'll get an alert ONLY if there are more than five active logins for this particular username. This is a rather simplistic example, but I believe it shows the power of what such a simple function can do for rule writing. I see a lot of applications in things like login tracking, IRC state machines, malware tracking, and brute force login detection. Lets say we're tracking a protocol that normally allows five login fails per connection, but we have a vulnerability where an attacker can continue to login after that five attempts, and we need to know about it. alert tcp any any -> any any (msg:"Start a login count"; content:"login failed"; \flowint:loginfail, notset; flowint:loginfail, =, 1; flowint:noalert;) So we detect the initial fail if the variable is not yet set and set it to 1 if so. Our first hit. alert tcp any any -> any any (msg:"Counting Logins"; content:"login failed"; \flowint:loginfail, isset; flowint:loginfail, +, 1; flowint:noalert;) We are now incrementing the counter if it's set. alert tcp any any -> any any (msg:"More than Five login fails in a Stream"; content:"login failed"; \flowint:loginfail, isset; flowint:loginfail, >, 5;) Now we'll generate an alert if we cross five login fails in the same stream. But let's also say we also need alert if there are two successful logins and a failed login after that. alert tcp any any -> any any (msg:"Counting Good Logins"; content:"login successful"; \flowint:loginsuccess, +, 1; flowint:noalert;) Here we're counting good logins, so now we'll count good logins relevant to fails: alert tcp any any -> any any (msg:"Login fail after two successes"; content:"login failed"; \flowint:loginsuccess, isset; flowint:loginsuccess, =, 2;) Here are some other general examples: alert tcp any any -> any any (msg:"Setting a flowint counter"; content:"GET"; \flowint:myvar, notset; flowint:maxvar,notset; flowint:myvar,=,1; flowint: maxvar,=,6;)
alert tcp any any -> any any (msg:"Adding to flowint counter"; content:"Unauthorized"; \flowint:myvar,isset; flowint: myvar,+,2;)
alert tcp any any -> any any (msg:"if the flowint counter is 3 create a new counter"; content:"Unauthorized"; \flowint:myvar, isset; flowint:myvar,==,3; flowint:cntpackets,notset; flowint:cntpackets, =, 0;)
alert tcp any any -> any any (msg:"and count the rest of the packets received without generating alerts!!!"; \flowint:cntpackets,isset; flowint:cntpackets, +, 1; flowint:noalert;)
alert tcp any any -> any any (msg:" and fire this when it reach 6"; flowint: cntpackets, isset; \flowint: maxvar,isset; flowint: cntpackets, ==, maxvar;)
OISF Releases Suricata Engine!
Full Announcement here: http://www.openinfosecfoundation.org/NOTE: OISF has been Slashdotted, may be slow to respond. You may have been redirected here to handle the load. Please try OISF again in a few hours!
It's been about three years in the making, but the day has finally come! We have the first release of the Suricata Engine! The engine is an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field.
The Suricata Engine and the HTP Library are available to use under the GPLv2.
The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools.
This is considered a Beta Release as we are seeking feedback from the community. This release has many of the major new features we wanted to add to the industry, but certainly not all. We intend to get this base engine out and stable, and then continue to add new features. We expect several new releases in the month of January culminating in a production quality release shortly thereafter.
The engine and the HTP Library are available here: http://www.openinfosecfoundation.org/index.php/download-suricata
Please join the oisf-users mailing list to discuss and share feedback. The developers will be there ready to help you test.http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
As this is a first release we don't really have a "what's New" section because everything is new. But we do have a number of new ideas and new concepts to Intrusion Detection to note. Some of those are listed below:
Multi-ThreadingAmazing that multi-threading is new to IDS, but it is, and we've got it!
Automatic Protocol DetectionThe engine not only has keywords for IP, TCP, UDP and ICMP, but also has HTTP, TLS, FTP and SMB! A user can now write a rule to detect a match within an HTTP stream for example regardless of the port the stream occurs on. This is going to revolutionize malware detection and control. Detections for more layer 7 protocols are on the way.
Gzip DecompressionThe HTP Parser will decode Gzip compressed streams, allowing much more detailed matching within the engine.
Independent HTP LibraryThe HTP Parser will be of great use to many other applications such as proxies, filters, etc. The parser is available as a library also under GPLv2 for easy integration ito other tools.
Standard Input MethodsYou can use NFQueue, IPFRing, and the standard LibPcap to capture traffic. IPFW support coming shortly.
Unified2 OutputYou can use your standard output tools and methods with the new engine, 100% compatible!
Flow VariablesIt's possible to capture information out of a stream and save that in a variable which can then be matched again later.
Fast IP MatchingThe engine will automatically take rules that are IP matches only (such as the RBN and compromised IP lists at Emerging Threats) and put them into a special fast matching preprocessor.
HTTP Log Module All HTTP requests can be automatically output into an apache-style log format file. Very useful for monitoring and logging activity completely independent of rulesets and matching. Should you need to do so you could use the engine only as an HTTP logging sniffer.
Coming Very Soon: (Within a few weeks)
Global Flow VariablesThe ability to store more information from a stream or match (actual data, not just setting a bit), and storing that information for a period of time. This will make comparing values across many streams and time possible.
Graphics Card AccelerationUsing CUDA and OpenCL we will be able to make use of the massive processing power of even old graphics cards to accelerate your IDS. Offloading the very computationally intensive functions of the sensor will greatly enhance performance.
IP ReputationHard to summarize in a sentence, but Reputation will allow sensors and organizations to share intelligence and eliminate many false positives.
Windows BinariesAs soon as we have a reasonably stable body of code.
The list could go on and on. Please take a few minutes to download the engine and try it out and let us know what you think. We're not comfortable calling it production ready at the moment until we get your feedback, and we have a few features to complete. We really need your feedback and input. We intend to put out a series of small releases in the two to three weeks to come, and then a production ready major release shortly thereafter. Phase two of our development plan will then begin where we go after some major new features such as IP Reputation shortly.
http://www.openinfosecfoundation.org
It's been about three years in the making, but the day has finally come! We have the first release of the Suricata Engine! The engine is an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field.
The Suricata Engine and the HTP Library are available to use under the GPLv2.
The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools.
This is considered a Beta Release as we are seeking feedback from the community. This release has many of the major new features we wanted to add to the industry, but certainly not all. We intend to get this base engine out and stable, and then continue to add new features. We expect several new releases in the month of January culminating in a production quality release shortly thereafter.
The engine and the HTP Library are available here: http://www.openinfosecfoundation.org/index.php/download-suricata
Please join the oisf-users mailing list to discuss and share feedback. The developers will be there ready to help you test.http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
As this is a first release we don't really have a "what's New" section because everything is new. But we do have a number of new ideas and new concepts to Intrusion Detection to note. Some of those are listed below:
Multi-ThreadingAmazing that multi-threading is new to IDS, but it is, and we've got it!
Automatic Protocol DetectionThe engine not only has keywords for IP, TCP, UDP and ICMP, but also has HTTP, TLS, FTP and SMB! A user can now write a rule to detect a match within an HTTP stream for example regardless of the port the stream occurs on. This is going to revolutionize malware detection and control. Detections for more layer 7 protocols are on the way.
Gzip DecompressionThe HTP Parser will decode Gzip compressed streams, allowing much more detailed matching within the engine.
Independent HTP LibraryThe HTP Parser will be of great use to many other applications such as proxies, filters, etc. The parser is available as a library also under GPLv2 for easy integration ito other tools.
Standard Input MethodsYou can use NFQueue, IPFRing, and the standard LibPcap to capture traffic. IPFW support coming shortly.
Unified2 OutputYou can use your standard output tools and methods with the new engine, 100% compatible!
Flow VariablesIt's possible to capture information out of a stream and save that in a variable which can then be matched again later.
Fast IP MatchingThe engine will automatically take rules that are IP matches only (such as the RBN and compromised IP lists at Emerging Threats) and put them into a special fast matching preprocessor.
HTTP Log Module All HTTP requests can be automatically output into an apache-style log format file. Very useful for monitoring and logging activity completely independent of rulesets and matching. Should you need to do so you could use the engine only as an HTTP logging sniffer.
Coming Very Soon: (Within a few weeks)
Global Flow VariablesThe ability to store more information from a stream or match (actual data, not just setting a bit), and storing that information for a period of time. This will make comparing values across many streams and time possible.
Graphics Card AccelerationUsing CUDA and OpenCL we will be able to make use of the massive processing power of even old graphics cards to accelerate your IDS. Offloading the very computationally intensive functions of the sensor will greatly enhance performance.
IP ReputationHard to summarize in a sentence, but Reputation will allow sensors and organizations to share intelligence and eliminate many false positives.
Windows BinariesAs soon as we have a reasonably stable body of code.
The list could go on and on. Please take a few minutes to download the engine and try it out and let us know what you think. We're not comfortable calling it production ready at the moment until we get your feedback, and we have a few features to complete. We really need your feedback and input. We intend to put out a series of small releases in the two to three weeks to come, and then a production ready major release shortly thereafter. Phase two of our development plan will then begin where we go after some major new features such as IP Reputation shortly.
http://www.openinfosecfoundation.org
OISF Suricata Release Tomorrow!
We're nearly ready for the first release of code from the Open Information Security Foundation! We've been hard at work for over six months now, with about twenty of the most talented and diverse group of programmers I've ever seen together. Six months is an incredibly short timeframe for developing an IDS engine, especially one that's not just the same old ideas but a major step forward. But they've done it, we're nearly there! I'm incredibly honored to be a part of this team.
This is the first release. We haven't of course gotten every feature in there that we want, but what is there is stable and ready for testing. Stay tuned for more information today and tomorrow!
ET Welcomes Infotex as a Sponsor
We just wanted to give a big thanks to Infotex for a recent donation of hardware and infrastructure. They've been a great help over the years.
Thanks to all the folks at Infotex! Your support goes a long way in keeping Emerging Threats alive!!
Mugs are Available!!
Don't Subscribe using Yahoo Email
Just a reminder, if you subscribe to the lists using a yahoo email you'll get bounced off within a few days. Yahoo rejects emails that have strings that might be malware. And since that's what we discuss most of the time mailman (our list manager) will disable your subscription.
Apologies for this, but we really can't do much about it. So if you're using yahoo go make a gmail account, or somewhere else that uses actual filtering.
(reminding about this because we just lost a slew of yahoo folks get bounced last night)
Thanks!
Matt
Apologies for this, but we really can't do much about it. So if you're using yahoo go make a gmail account, or somewhere else that uses actual filtering.
(reminding about this because we just lost a slew of yahoo folks get bounced last night)
Thanks!
Matt
ET in the Press
We're always excited to see Emerging Threats mentioned in articles and books. Especially when it's something good to say about us all!
Markus Manzke just published a great article about ET, an interview with me and Martin Roesch, and some great information about all around signature work. It's in German and published in ix.de, but easily translatable if german's not your thing.
http://www.mare-system.de/?p=arbeiten-mit-snort
Thanks for the great article Markus!
Matt