Open Information Security Foundation

12/12/2023

07:37 PM Suricata Bug #6623: Suricata BPF filter differs from tcpdump (tcpdump behaviour seems correct)

Victor Julien wrote in #note-1:
> Suricata calls @pcap_compile@ with @optimize=1@ and @mask=0@. Are you seeing the sa... Jeff Weeks

03:59 PM Suricata Bug #6623 (New): Suricata BPF filter differs from tcpdump (tcpdump behaviour seems correct)

Attempting to create a filter that doesn't inspect local/east-west traffic can be done various ways in tcpdump, but t... Jeff Weeks

01/29/2021

08:53 PM Suricata Feature #4285 (New): Add an optional "active flow timeout" for long lived flows

YAF is a flow meter which has a feature whereby every 30minutes a new record is created for a long lived flow.
In or... Jeff Weeks

08:42 PM Suricata Feature #4284 (New): Expose (via the flow record log) whether a flow was picked up midstream

It can be beneficial to know whether a flow record is describing a flow picked up midstream (vs describing a flow whe... Jeff Weeks

08:34 PM Suricata Feature #4283 (New): Configure the proper flow direction if we see the SYN/ACK first

Even if we didn't see the SYN, we can get an accurate from direction if the first packet is a SYN/ACK, because we kno... Jeff Weeks

08:23 PM Suricata Feature #4282 (New): Ensure that the flags used for the initial TCP packets are saved

Suricata saves the TCP flags which it sees inside `struct TcpStream_::tcp_flags` but this contains a union of all fla... Jeff Weeks

07:38 PM Suricata Feature #4281 (New): Add a log indicating when all worker threads are able to process packets

Depending on the configuration used, the time it takes for Suricata to initialize and have worker threads ready to pr... Jeff Weeks

05:25 PM Suricata Feature #4279 (In Review): Optionally allow hashing truncated files, and a maximum length to hash

The hash of a truncated file is still valuable information, as is the hash of the first N bytes of a file.
Both of t... Jeff Weeks