First beta for Suricata 1.4

The first test release for the new Suricata 1.4 branch as just been released. Some really exciting stuff was added. Let me highlight some of it:

AF_PACKET IPS mode: Eric Leblond has been working on extending the passive AF_PACKET support to support IPS as well. Eric has documented the new feature on his blog.

TLS logging and certificate storage: created by contributor Jean-Paul Roliers under guidance of Eric Leblond. As a bonus, a rule keyword to match on certifcate fingerprints.

Custom HTTP logging: contributor Ignacio Sanchez created a new output mode for our HTTP log module, allowing the admin to customize the log message format. He has made it compatible to Apache’s mod_log_config. For more information, see our wiki page.

Tunnel decoding: Michel Saborde opened a bunch of tickets for Teredo, IPv4-in-IPv6 and IPv6-in-IPv6 tunneling. Saved a lot of time in Eric’s implementation.

There is more, like the luajit keyword I wrote about yesterday here.

So there are a lot of changes. Git gives us the following numbers: “106 files changed, 6966 insertions(+), 2259 deletions(-)” in just 3 weeks. This means the release is definitely beta quality, so use with care.

Grab it here:

Next week the team will be in Amsterdam for the RAID 2012 conference. After that we’ll continue to work towards 1.4beta2. For an idea of what is coming, check the milestone.

Until than, have fun with this new beta. Many thanks to our generous contributors!

Suricata lua (jit) script keyword

So Will started bugging me (again) on doing scripting from Suricata and I gave in. Just committed extremely immature, incomplete, experimental luajit scripting support.

What it does is that it adds a new keyword, “luajit”. There is one argument, a script name. That script is then loaded from your rules directory and ran against a packet. No flow, http or any of that right now, just packets.

Example rule:
alert tcp any any -> any any (msg:"LUAJIT test"; luajit:test.lua; sid:1;)

This loads the script from /etc/suricata/rules/test.lua

The script has a “match” function that will return either 1 or 0. 1 for match, 0 for no match.

Example script:

-- match string HTTP in packet payload
function match(args)
    for k,v in pairs(args) do
       if tostring(k) == "payload" then
            a = tostring(v)
            if #a > 0 then
                if a:find("HTTP") then
                    return 1

    return 0

return 0
-- eof

The fun thing is that it works, but the best joke is that on my box this simple script makes no performance impact at all.

Currently only “payload” and “packet” keys are available. More will follow, or not. This is research stuff, and if we run into some major obstacle we’ll remove it or change it completely. Until then, let me know how you feel about it 🙂

Oh yeah, to enable add:
--with-libluajit-includes=/usr/include/luajit-2.0/ --with-libluajit-libraries=/usr/lib/x86_64-linux-gnu/
To your ./configure line. Adapt for your distro.

Happy scripting! 🙂