Suricata IDPE 2.0.11 Is A Network Intrusion Detection And Prevention Engine.
Suricata is developed by the Open Information Security Foundation, its supporting vendor and community for the purpose of network intrusion detection and prevention engine.
The changes that the developer made in this new version was that "Multiple bug fixes have been implemented".The engine is multi-threaded and has native IPv6 support. It's capable of loading existing Snort rules and signatures and supports the Barnyard and Barnyard2 tools.
Features Of Suricata:
- It provides Network Intrusion Detection System (NIDS) engine, Network Intrusion Prevention System (NIPS) engine and Network Security Monitoring (NSM) engine too.
- It analyze the PCAP files.
- It can also do a traffic recording using pcap logger.
- It enables the Unix socket mode for automated PCAP file processing.
- It also support Operating System(Linux, FreeBSD, OpenBSD, Mac OS X, Windows).
- The YAML config file is human and machine readable(both).
- All the configuration are well commented and documented.
3. TCP/IP engines
- It provides Scalable flow engine.
- IPv6 is fully supported by the Suricata.
- It also supports Tunnel decoding like(Teredo, IP-IP, IP6-IP4, IP4-IP6).
- TCP stream engine
- tracking sessions
- stream reassembly
- target based stream reassembly
4. Protocol Parsers
- It Support packet decoding of(IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Ethernet, PPP, PPPoE, Raw, SLL, VLAN, QINQ).
- It also supports App layer decoding of(HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP, SSH, DNS).
5. HTTP engine
- It also provides Stateful HTTP parser built on libhtp.
- It also supports HTTP request logger.
- It enables the File identification, extraction and logging.
- It also provides Keywords to match on buffers like (uri and raw uri, headers and raw headers, cookie, user-agent, request body and response body, method, status and status code, host)
6. Detection engine
- It supports Protocol keywords, PCRE support, fast_pattern, Rule profiling, File matching.
- It provides multiple pattern matcher algorithms that can be selected.
- It also provides extensive tuning options.
- It enables live rule reloads — use new rules w/o restarting Suricata.
- It enables the delayed rules initialization.
- It provides and support fully configurable threading — from single thread to dozens of threads.
- It enables precooked “runmodes”, optional CPU affinity settings.
- It also provides Use of fine-grained locking and atomic operations for optimal performance.
- It also supports Optional lock profiling, IP Reputation, live reload support.
- It can load large amounts host based reputation data.
- It matches the reputation data in the rule language using the “iprep” keyword.
With 2.0, we introduced “Eve”, our all JSON event and alert output. This allows for easy integration with Logstash and similar tools.
The TLS/DER parsing issue has CVE-2015-0971 assigned to it.