Dalton 3.0.0 has been released – GitHub - secureworks/dalton: Suricata and Snort IDS rule and pcap testing system
Dalton is a system that allows a user to quickly and easily run network packet captures (“pcaps”) against an intrusion detection system (“IDS”) sensor of his or her choice (e.g. Snort, Suricata) using defined rulesets and/or bespoke rules. It also includes a wizard-like web interface for Flowsynth (GitHub - secureworks/flowsynth: a network packet capture compiler) to facilitate custom pcap creation.
This release contains a number of tweaks and back-end updates. Some notable changes:
- Move to Python 3 from Python 2.
- Better Suricata EVE log support in UI now that unified2 is no longer supported with Suricata v6; can format/highlight, view in “dark mode”, and download directly from the UI.
- Support for running jobs using Suricata socket control and enabled it by default. Now Suricata doesn’t have to restart (load config, rules, etc.) between jobs if the config and rules stay the same.
- Ability to easily enable SSL/TLS on the Controller.
- Additions, updates, and fixes to the API to reduce complexity and make it work as expected.
- Can now submit multiple pcaps (or an archive with multiple pcaps) and have them processed as individual jobs.
- Display the number of alerts for finished jobs on the Queue page.
- Ubuntu docker containers now use 18.04.
- Use more recent versions of libraries, e.g. flask, jquery, etc.
- Minor UI reorganization. Variables are no longer bifurcated from the rest of the config.
- Dalton agent now has configurable “config” parameter that it can submit to tell controller which config to use.
- Updated documentation to reflect current reality.
- Sundry other bug fixes and enhancements.