SuricataThe Open Information Security Foundation (OISF) is a non-profit foundation organized to build a next generation IDS/IPS engine.  The OISF has formed a multi-national group of the leading software developers in the security industry.  In addition to developers and a consortium consisting of leading cyber security companies, OISF has engaged the open source security community to identify current and future IDS/IPS needs and desires. 

OISF’s primary goal is to remain on the leading edge of open source IDS/IPS development, community needs and objectives.  This is only attainable if you, the community, get involved.  We welcome participation large and small and have built working groups and mailing lists to engage and educate all interested people and organizations.

Funding for the OISF comes from the US Department of Homeland Security (DHS) and a number of private companies that form the OISF Consortium. These companies gain a non-gpl limited license for the engine in return for their ongoing support. Over time, OISF will take on new projects and challenges.  Future OISF project proposals are welcome and should be submitted in summary form using the ‘Contact Us’ link above.

Thank you for visiting OISF!

Get Involved

get involved
• Organizations
Companies
Individuals
• Developers

Click here to find out how you can get involved!

Join the Mailing List

openinfosecfoundationReceive all of the latest Open Information Security Foundation updates directly.
Sign up here.

Download Suricata

Suricata Logo

Suricata is our next generation IDS/IPS engine.  Start using it today!

The Open Information Security Foundation

Suricata Brainstorming Session Feb 7, 2012!

Print
PDF
Don't forget to mark your calendar for tomorrow, 1pm CET (GMT+1), or 7am EST.  
 
IT-Defense Conference 2012, Munich
February 7th, 2012
1:00pm CET (GMT+1)
Leonardo Royal Hotel, Munich
www.leonardo-hotels.com

The primary goal of this Brainstorming Session is to review and adjust the Suricata Development Roadmap. To do this we will outline the current complete features and development status, proposed features from public and private sources, and seek input on these items. This is an open discussion. Let us know what you’d like your IDS/IPS engine to do! 

Major topics for discussion include:

Project Status
Potential Project Contributions
Current Major Features
End Snort-Syntax Follow
Phase 3 Dev Roadmap Review
Docs Update
Consider moving to GPLv3
New Website
Consortium Model Review
OpenDPI/BinPAC/Qosmos

Complimentary food and beverages will be available, please help us plan by emailing This e-mail address is being protected from spambots. You need JavaScript enabled to view it

If you would like to attend remotely via video/audio please also rsvp to allow capacity planning. We intend to use Google+ Hangouts, and Webex as a backup if there are issues. Please watch the OISF website and mailing lists for a link to join prior to the start of the meeting. http://www.openinfosecfoundation.org

We hope to see you there!

Specific technical issues to discuss or re-evaluate:


File Store Management Tool
DNS Preprocessor
IP and DNS Reputation
GeoIP Keyword
SSL Cert Analysis
URL/MD5 Reputation
HTTP Header Good/Bad Anomaly
Global Shared Flowvars
SCADA Preprocessors
File Extraction and Identification
Snortsam Output Plugin - Done
Anomaly Detection Potential
Host/App/OS Table Import



Suricata 1.2.1 Available!

Print
PDF
The OISF development team is pleased to announce Suricata 1.2.1. This release follows 1.2 by just a day to bring an important bug fix.

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-1.2.1.tar.gz

Fixes

- fix malformed unified2 records when writing alerts trigger by stream inspection (#402)
- only force a pseudo packet inspection cycle for TCP streams in a state >= established

Credits

Special thanks go to Eric Ooi and Doug Burks for reporting these issues and testing the fix.

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See http://redmine.openinfosecfoundation.org/projects/suricata/issues for an up to date list and to report new issues. See http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues for a discussion and time line for the major issues.

Suricata Brainstorming Session in February!

Print
PDF

Please join us February 7th for the fifth Suricata Brainstorming Session at the IT-Defense 2012 Conference in Munich, Germany!  

As you know, Brainstorming Sessions are held to review and adjust the Development Roadmap, and bring in any and all new ideas and contributors. At this session we will outline the current complete features and development status, proposed features from public and private sources, and seek input on these items. We need your help!

The session will be held the day before IT-Defense 2012, and is free to attend. Most of the OISF Development Team will be at this session, so it's a great time to meet them and ask those questions or propose the ideas on your mind!

OISF will also be facilitating a workshop session during the conference, and OISF President Matt Jonkman will speak about Suricata on the second day of IT-Defense 2012.

 

IT-Defense 2012, Munich

it-defense.de 

February 7th, 2012

Leonardo Royal Hotel, Munich

www.leonardo-hotels.com

 

Any new idea, any new feature, any new relationship is welcome. This is an open discussion session. Let us know what you’d like your IDS/IPS engine to do! 

A full agenda will be released prior to the meeting. Food and beverages will be provided, please help us plan for how much we need by RSVP’ing to This e-mail address is being protected from spambots. You need JavaScript enabled to view it . If you would like to attend remotely via video/audio please also rsvp to allow capacity planning.

We hope to see you there!!!

 

 

 

Suricata 1.2 Available!

Print
PDF

The OISF development team is proud to announce Suricata 1.2. This release brings HTTP file inspection and extraction and a whole lot more.

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-1.2.tar.gz

The configuration file has evolved but backward compatibility is provided. We thus encourage you to update your suricata configuration file. Upgrade guidance is provided here: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_11_to_Suricata_12

New features

- file name, type inspection and extraction for HTTP
- filename, fileext, filemagic and filestore keywords added
- "file" output for storing extracted files to disk
- file_data keyword support, inspecting normalized, dechunked, decompressed HTTP response body (feature #241)
- new keyword http_server_body, pcre regex /S option
- option to enable/disable core dumping from the suricata.yaml (enabled by default)
- human readable size limit settings in suricata.yaml (bug #333)
- PF_RING bpf support (required PF_RING >= 5.2) (feature #334)
- tos keyword support (feature #364)
- IPFW IPS mode does now support multiple divert sockets
- new IPS running modes, Linux and FreeBSD do now support "worker" and "autofp"
- app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events
- auto detection of checksum offloading per interface (#311)
- urilen options to match on raw or normalised URI (#341)
- flow keyword option "only_stream" and "no_stream"
- unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250)
- http_header and http_raw_header now also inspect HTTP response headers (#389, #397)

Improvements

- general performance improvements
- improved alert accuracy in autofp and single runmodes
- major performance optimizations for the ac-gfbs pattern matcher implementation
- unified2 output fixes
- PF_RING supports privilege dropping now (bug #367)
- improved detection of duplicate signatures
- improved performance in virtual machines (bug #382)
- PCRE-JIT is now enabled by default if available (#356)
- flowbits and flowints are now modified in a post-match action list
- bundled libhtp updated to 0.2.7
- fixed parsing really high sid numbers >2 Billion (#393)
- fixed ICMPv6 not matching in IP-only sigs (#363)

Fixes since 1.2rc1

- improved Windows/CYGWIN path handling (#387)
- fixed some issues with passing an interface or ip address with -i
- make live worker runmode threads adhere to the 'detect' cpu affinity settings

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See http://redmine.openinfosecfoundation.org/projects/suricata/issues for an up to date list and to report new issues. See http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues for a discussion and time line for the major issues.

Suricata 1.2rc1 Available!

Print
PDF
The OISF development team is proud to announce Suricata 1.2rc1, the first (and hopefully only) release candidate for Suricata 1.2. It brings performance increases, file inspection and extraction improvements and much more!

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-1.2rc1.tar.gz

The new release comes with a number of important improvements and fixes.

New features

- app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events
- auto detection of checksum offloading per interface (#311)
- urilen options to match on raw or normalised URI (#341)
- flow keyword option "only_stream" and "no_stream"
- unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250)

Improvements

- in IPS mode, reject rules now also drop (#399)
- http_header now also inspects response headers (#389)
- "worker" runmodes for NFQ and IPFW
- performance improvement for "ac" pattern matcher
- allow empty/non-initialized flowints to be incremented

Under the hood

- PCRE-JIT is now enabled by default if available (#356)
- many file inspection and extraction improvements
- flowbits and flowints are now modified in a post-match action list
- general performance improvements

Notable Fixes & Changes

- fixed parsing really high sid numbers >2 Billion (#393)
- fixed ICMPv6 not matching in IP-only sigs (#363)

Known issues & missing features

This is a "release candidate"-quality release so the stability should be good although unexpected corner cases might happen. If you encounter one, please let us know!

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See http://redmine.openinfosecfoundation.org/projects/suricata/issues for an up to date list and to report new issues. See http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues for a discussion and time line for the major issues.

More Articles...