Version 2.0.7 of Suricata has been released. Suricata is an open source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring engine. It can be used to monitor network traffic and alert a system administrator if anything suspicious is detected. Development is overseen by the Open Information Security Foundation, with support from the community and various manufacturers. The main change in version 2.0 is Eve, a fully op json based logging system. Eve can, among other things, with log stash are used to display information graphically again at to give† The changelog for this release looks like this:
Suricata 2.0.7 Available!
The OISF development team is pleased to announce Suricata 2.0.7. This release fixes a number of important issues in the 2.0 series.
Two major issues. The first was brought to our attention by the Yahoo Pentest Team. It’s a parsing issue in the DCERPC parser that can happen when Suricata runs out of memory. The exact scope of the problem isn’t clear, but it could certainly lead to crashes. RCE might theoretically be possible but looks like it’s very hard.
The second issue was reported by Darien Huss of Emerging Threats. This is technically a libhtp issue, but it affects Suricata detection and logging. Certain characters in the URI could confuse the parsing of the HTTP request line, leading to possible detection bypass for ‘http_uri’ and to incomplete logging of the URI. Libhtp 0.5.17 has been released to address this and is bundled in 2.0.7.
Other than that a bunch of improvements and fixes. It should work again on CentOS 5. Midstream TCP was improved and some performance optimizations for HTTP proxy traffic were made.
Upgrading is highly recommended.
- Bug #1385: DCERPC traffic parsing issue
- Bug #1391: http uri parsing issue
- Bug #1383: tcp midstream window issue
- Bug #1318: A thread sync issue in streamTCP
- Bug #1375: Regressions in list keywords option
- Bug #1387: pcap-file hangs on systems w/o atomics support
- Bug #1395: dump counters unix socket command failure
- Optimization #1376: file list is not cleaned up
- The DCERPC parsing issue has CVE-2015-0928 assigned to it.
Logstash Kibana fed with information from Suricata with json output.