inliniac

Inliniac

In Suricata we’re experimenting with implementing app-layer parser in Rust. See Pierre Chifflier’s presentation at the last SuriCon: [pdf]. The first experimental parsers will soon land in master. So coming from a C world I often use a pattern like: … Continue reading → ... Read More

Over the holidays I’ve spent some time refreshing the Vuurmuur code. One major thing that is now done is that the 3 different ‘projects’ (libvuurmuur, vuurmuur and vuurmuur-conf) are now merged into a single ‘project’. This means that a single … Continue reading → ... Read More

Since the beginning of the project we’ve spoken about variables on multiple levels. Of course flowbits defined by the Snort language came first, but other flow based variables quickly followed: flowints for basic counting, and vars for extracting data using … Continue reading → ... Read More

Yesterday I wrote about fuzzing Suricata with AFL. Today I’m going to show another way. Since early in the project, we’ve shipped a perl based fuzzer called ‘wirefuzz’. The tool is very simple. It takes a list of pcaps, changes … Continue reading → ... Read More

AFL is a very powerful fuzzer, that tries to be smarter than random input generating fuzzers. It’s cool, but needs a bit more baby sitting. I’ve added some support to Suricata to assist AFL. Here’s how to get started on … Continue reading → ... Read More

Today, almost 2 years after the release of Suricata 2.0, we released 3.0! This new version of Suricata improves performance, scalability, accuracy and general robustness. Next to this, it brings a lot of new features. New features are too numerous … Continue reading → ... Read More

As the team is back from a very successful week in Barcelona, I’d like to take a moment on what we discussed and decided on with regards to development. One thing no one was happy with is how the release … Continue reading → ... Read More

Last week I’ve added some more profiling options to Suricata. It’s part of the current git master. It’s enabled only when --enable-profiling and then through the suricata.yaml: profiling: # per keyword profiling keywords: enabled: yes filename: keyword_perf.log append: yes This will output a table similar to below: -------------------------------------------------------------------------- Date: 11/7/2013 ... Read More

We’re doing a public OISF meeting in DC next July. Everyone thats interested, please show up! Here is the original announcement: We'll be having a public forum and brainstorming session in Washington DC on July 16th, 2009! This session will be a mix of technical and political issues. We encourage ... Read More

After debugging some connection problems I found that the wscale normalization concept is flawed. I’ll describe here what is wrong with it and then move on to suggest a different solution I’m currently testing. The problem I was seeing is that some connections to some webservers stalled without an apparent ... Read More