网络入侵检测 Suricata 1.1 正式版发布
fmms 13年前
<p>Suricata 是一个网络入侵检测和阻止引擎,由开放信息安全基金会以及它说支持的提供商说开发。该引擎是多线程的,内置 IPv6 的支持,可加载预设规则,支持 Barnyard 和 Barnyard2 工具。</p> <p>Suricata 1.1 版主要改变如下:</p> <p>Notable Improvements</p> <p> * performance improvements<br /> * – new default pattern matcher<br /> * – multi pattern matcher inspection of HTTP buffers<br /> * – improved running modes<br /> * accuracy was greatly improved<br /> * improved logging<br /> * – extended HTTP logging<br /> * – support of stream event logging<br /> * IPS improvements<br /> * – inline mode for stream engine<br /> * – new keyword and running options for Netfilter based IPS<br /> * removal of the unified1 output plugins (#353)</p> <p>New features</p> <p> * new keywords ssl_state, ssl_version (#258, #262).<br /> * support for http_raw_header, http_stat_msg, http_stat_code and http_raw_uri keywords (#259, #260).<br /> * new keyword support: nfq_set_mark<br /> * support for suppress keyword was added (#274)<br /> * byte_extract keyword support was added<br /> * new default pattern matcher, Aho-Corasick based, that uses much less memory and performs better<br /> * fast_pattern & multi pattern matching support for HTTP buffers<br /> * extended HTTP request logging for use with (among other things) http_agent for Sguil (#38)<br /> * new counters in stats.log for flow and stream engines (#348)<br /> * AF_PACKET support for high speed packet capture<br /> * advanced and fine tuning of CPU affinity setting for enhanced multicore performances<br /> * “replace” keyword support for IPS mode (#303)<br /> * new “workers” runmode for multi-dev and/or clustered PF_RING, AF_PACKET, pcap<br /> * added “stream-event” keyword to match on TCP session anomalies<br /> * Inline mode for the stream engine (#230, #248)<br /> * Included an example decoder-events.rules file<br /> * pcap logging / recording output was added<br /> * basic SCTP protocol parsing was added<br /> * reference.config support as supplied by ET/ETpro and VRT<br /> * smtp protocol parser and protocol detection was added<br /> * better handling of detection for timed out TCP sessions<br /> * improved protocol detection accuracy with additional support for port based detection</p> <p>Fixes since 1.1rc1</p> <p> * CUDA build fixed<br /> * minor pcap, AF_PACKET and PF_RING fixes (#368)<br /> * bpf handling fix<br /> * Windows CYGWIN build<br /> * more cleanups<br /> <br /> 项目地址:<a href="/misc/goto?guid=4958195937250259370" target="_blank">http://www.openinfosecfoundation.org/</a></p>