Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/12/2010
05:04 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Suricata Pushing Intrusion Detection Evolution

Advances in intrusion detection systems (IDS) and intrusion prevention systems (IPS) have stayed fairly stagnant, with the exception of the signatures that must change daily to meet current threats. The Suricata project from the Open Information Security Foundation (OISF) looks to change that and bring forth the evolution of the IDS.

Advances in intrusion detection systems (IDS) and intrusion prevention systems (IPS) have stayed fairly stagnant, with the exception of the signatures that must change daily to meet current threats. The Suricata project from the Open Information Security Foundation (OISF) looks to change that and bring forth the evolution of the IDS.I spend a good deal of time digging through IDS data. It's surprisingly a lot of fun provided that you've actually tuned your IDS and aren't stuck sifting through meaningless alerts. If you don't have an IDS, thrn you should set one up with the rules from the Emerging Threats community and let it watch your egress traffic as it leaves your network. You'll be amazed at what you find.

But before I get sidetracked about traffic monitoring in general, let's dig into Suricata. I can think of one word that describes it: awesome. I'm not kidding. I've been a long-time user of Snort, the de facto open-source IDS engine that Sourcefire (and others) have based their commercial businesses on. It's a great tool, but there are many limitations that have led the OISF to develop Suricata from scratch.

The primary limitation with Snort that surprises people and kills sensors on high-speed networks is that it is single-threaded. In other words, even if you have a 16-core monster server, Snort is going to use only one of those cores. Not cool if you have a fast link with lots of traffic flowing out of your network. Your IDS simply isn't going to be effective if it's dropping packets. However, this isn't a limitation by just Snort, but pretty much every IDS/IPS vendor out there.

What's coming from OISF will turn the industry on its ear because Suricata is not only introducing multicore support, but also CUDA GPU acceleration. What that means is that Suricata can take advantage of all the processors in a system and use CUDA-enabled NVIDIA video cards to accelerate network parsing. It's terribly exciting for us dealing with 10-Gb networks.

There are loads of other features, like inline mode so it can be used as an IPS, IPv6 support, Snort rule syntax support, and a specialized HTTP parsing library. Suricata RC1 is currently available for download and the first "stable" release is scheduled for July 1.

I highly recommend you take a look at Suricata if you're involved with IDS in any way or if you're looking to see what the future holds. It's an exciting project that holds a lot of potential for those of us facing the problems of monitoring faster and faster networks.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
CVE-2020-26159
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
CVE-2020-6654
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.