bro befriends suricata suricata and bro fighting malware
play

BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER - PDF document

Sep 14, 2022 •405 likes •894 views

Bro Befriends Suricata 23/09/16 20 : 23 BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski @michalpurzynski / Scripts are here - https://github.com/michalpurzynski

  1. Bro Befriends Suricata 23/09/16 20 : 23 BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski @michalpurzynski / Scripts are here - https://github.com/michalpurzynski https://log.nusec.eu/brocon2016/?print-pdf#/ Page 1 of 47

  2. Bro Befriends Suricata 23/09/16 20 : 23 https://log.nusec.eu/brocon2016/?print-pdf#/ Page 2 of 47

  3. Bro Befriends Suricata 23/09/16 20 : 23 https://log.nusec.eu/brocon2016/?print-pdf#/ Page 3 of 47

  4. Bro Befriends Suricata 23/09/16 20 : 23 WHOAMI Part of the team doing enterprise information security We don't do product security We monitor our infrastructure We respond to security investigations and incidents We help developers design and implement security controls We build tools & services to keep users secure "A human wireshark". A threat. Management. https://log.nusec.eu/brocon2016/?print-pdf#/ Page 4 of 47

  5. Bro Befriends Suricata 23/09/16 20 : 23 NSM IN MOZILLA 9 O ff ices 3 Continents 1 Datacenter X AWS Around 20 sensors and who knows how many workers :-) From 2012. Netoptics, now Arista. https://log.nusec.eu/brocon2016/?print-pdf#/ Page 5 of 47

  6. Bro Befriends Suricata 23/09/16 20 : 23 MOZILLA CONTRIBUTIONS TO BRO IDS PR. Tons of PR. Largest (problematic) installation ever. AUS? Heka-Lua scripts for parsing logs Tons of bug reports (SSL, hello Bugzilla) 76 scripts - 4200 LoC - OpenSource $$$$ 200 000 Myricom plugin (+Seth) Ansible playbooks - OpenSource https://log.nusec.eu/brocon2016/?print-pdf#/ Page 6 of 47

  7. Bro Befriends Suricata 23/09/16 20 : 23 WE HAVE A SECRET I WILL SHARE A SECRET IS SHARED SECRET STILL A SECRET? https://log.nusec.eu/brocon2016/?print-pdf#/ Page 7 of 47

  8. Bro Befriends Suricata 23/09/16 20 : 23 BRO IS NOT THE ONLY IDS WE USE!! We use Suricata too Actually, a whole mob https://log.nusec.eu/brocon2016/?print-pdf#/ Page 8 of 47

  9. Bro Befriends Suricata 23/09/16 20 : 23 BTW - WHAT IS AN IDS? An intrusion detection system (IDS) is a device or so " ware application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. https://log.nusec.eu/brocon2016/?print-pdf#/ Page 9 of 47

  10. Bro Befriends Suricata 23/09/16 20 : 23 KEYWORDS malicious activity <-- known indicators policy violations <-- known rules Missing? 'anomalies' <-- unknown No perfect tool for the job NSA? FSB? Ransomware and old Java? Risk managent FTW!! https://log.nusec.eu/brocon2016/?print-pdf#/ Page 10 of 47

  11. Bro Befriends Suricata 23/09/16 20 : 23 https://log.nusec.eu/brocon2016/?print-pdf#/ Page 11 of 47

  12. Bro Befriends Suricata 23/09/16 20 : 23 CAN'T GET ENOUGH https://log.nusec.eu/brocon2016/?print-pdf#/ Page 12 of 47

  13. Bro Befriends Suricata 23/09/16 20 : 23 SPEAKING ABOUT TOOLS https://log.nusec.eu/brocon2016/?print-pdf#/ Page 13 of 47

  14. Bro Befriends Suricata 23/09/16 20 : 23 SPEAKING ABOUT TOOLS https://log.nusec.eu/brocon2016/?print-pdf#/ Page 14 of 47

  15. Bro Befriends Suricata 23/09/16 20 : 23 SPEAKING ABOUT TOOLS https://log.nusec.eu/brocon2016/?print-pdf#/ Page 15 of 47

  16. Bro Befriends Suricata 23/09/16 20 : 23 SPEAKING ABOUT TOOLS https://log.nusec.eu/brocon2016/?print-pdf#/ Page 16 of 47

  17. Bro Befriends Suricata 23/09/16 20 : 23 SPEAKING ABOUT TOOLS { "category": "execve", "processid": "0", "receivedtimestamp": "2014-03-01T15:22:54.457658+00:00", "severity": "INFO", "utctimestamp": "2014-03-01T15:22:54+00:00", "tags": ["audisp-json", "2.0.0", "audit"], "timestamp": "2014-03-01T15:22:54+00:00", "hostname": "admin1a.private.scl3.mozilla.com", "mozdefhostname": "mozdef2.private.scl3.mozilla.com", "summary": "Execve: nmap 63.245.214.53 -p22 -Pn", "processname": "audisp-json", "details": { "fsuid": "3407", "tty": "(none)", "uid": "3407", https://log.nusec.eu/brocon2016/?print-pdf#/ Page 17 of 47

  18. Bro Befriends Suricata 23/09/16 20 : 23 BASIC IDS FUNCTIONALITY Stream reconstruction Protocol level analysis Pattern recognition Decompressing content (HTTP) https://log.nusec.eu/brocon2016/?print-pdf#/ Page 18 of 47

  19. Bro Befriends Suricata 23/09/16 20 : 23 https://log.nusec.eu/brocon2016/?print-pdf#/ Page 19 of 47

  20. Bro Befriends Suricata 23/09/16 20 : 23 SURICATA IN 2016 IDS and IPS (nfq) Multi threading Protocol identification (port independent) File identification and extraction, hash calculation Deep TLS analysis Application layer logs (in JSON) Lua scripting https://log.nusec.eu/brocon2016/?print-pdf#/ Page 20 of 47

  21. Bro Befriends Suricata 23/09/16 20 : 23 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; content:".php?id="; http_uri; fast_pattern:only; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F] {32,}&rnd=\d+$/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021787; rev:2;) LOOK MUM - NO PORTS!! https://log.nusec.eu/brocon2016/?print-pdf#/ Page 21 of 47

  22. Bro Befriends Suricata 23/09/16 20 : 23 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cryptowall docs campaign Sept 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|23 31 f9 4f 62 57 73 67|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021778; rev:2;) MATCHING FILE_DATA LIKE A B^HPRO https://log.nusec.eu/brocon2016/?print-pdf#/ Page 22 of 47

  23. Bro Befriends Suricata 23/09/16 20 : 23 EVENT LOGS { "timestamp": "2009-11-24T21:27:09.534255", "event_type": "alert", "src_ip": "192.168.2.7", "src_port": 1041, "dest_ip": "x.x.250.50", "dest_port": 80, "proto": "TCP", "alert": { "action": "allowed", "gid": 1, "signature_id" :2001999, "rev": 9, "signature": "ET MALWARE BTGrab.com Spyware Downloading Ads", "category": "A Network Trojan was detected", "severity": 1 https://log.nusec.eu/brocon2016/?print-pdf#/ Page 23 of 47

  24. Bro Befriends Suricata 23/09/16 20 : 23 LUA IS COOL. AND RICH, TOO. --[[ Detection for CVE-2016-0056 expects DOCX This lua script can be run standalone and verbosely on a Flash file with echo "run()" | luajit -i script name docx file Francis Trudeau With no help from Darien even though he loves LUA. --]] require("zip") function init (args) local needs = {} needs["http.response_body"] = tostring(true) return needs alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT MS Office Word Doc Use After Free Vulnerability CVE-2016-0056" https://log.nusec.eu/brocon2016/?print-pdf#/ Page 24 of 47

  25. Bro Befriends Suricata 23/09/16 20 : 23 CUSTOM HEADER MISSING? Adding new protocol level fields - C code changes Something invisible from Lua - C code changes New input like Myricom/Netmap - C code changes Sometimes add on functionality presents challenges https://log.nusec.eu/brocon2016/?print-pdf#/ Page 25 of 47

  26. Bro Befriends Suricata 23/09/16 20 : 23 module MozillaHTTPHeaders; export { redef record Intel::Info += { ## True client IP address added by our ZLBs cluster_client_ip: string &log &optional; }; redef record Intel::Seen += { ## Log value of the X-CLUSTER-CLIENT-IP ## True client IP address added by our ZLBs cluster_client_ip: string &log &optional; }; redef record HTTP::Info += { ## Log value of the X-CLUSTER-CLIENT-IP https://log.nusec.eu/brocon2016/?print-pdf#/ Page 26 of 47

  27. Bro Befriends Suricata 23/09/16 20 : 23 I JUST COULD NOT RESIST Bro Suricata Intel Extend it - custom Hardcoded fields Framework fields Logs Rich, easy to Hardcoded extend Scripting Bro IS scripting Lua - hardcoded but powerful https://log.nusec.eu/brocon2016/?print-pdf#/ Page 27 of 47

  28. Bro Befriends Suricata 23/09/16 20 : 23 ON THE OTHER HAND Bro Suricata Care and feed Lots Just runs Performance A few Gbit/sec 10? 20? 40Gbit/sec? 20 000 rules https://log.nusec.eu/brocon2016/?print-pdf#/ Page 28 of 47

  29. Bro Befriends Suricata 23/09/16 20 : 23 WHAT ARE WE HUNTING FOR? With Suricata. And Why. Can I do it with Bro? https://log.nusec.eu/brocon2016/?print-pdf#/ Page 29 of 47

  30. Bro Befriends Suricata 23/09/16 20 : 23 CnC - insane detection capabilities, tons of rules 2016-07-15T17:57:58+0000 CT7wYb3MaOc2KNL6P 10.252.28.186 60158 70.38.27.158 80 1 GET support.pckeeper.com /ping.html - PCKAV (1.1.1049.0) 6.2.9200.0 x64 0 6 200 OK - - (empty) - - - - - FHii7k1cPGiCRJdDvk - - - 1.1 Where can we send this function? Nowhere. It stays here. https://log.nusec.eu/brocon2016/?print-pdf#/ Page 30 of 47

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as a SSL monitor Suricata as a passive DNS probe Suricata as a flow probe Suricata as a malware detector VirtualBox setup File -&gt;

1.16k views • 78 slides
Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 . Leblond (OISF) Suricata and XDP Nov. 29, 2018 1 / 43 Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet

786 views • 59 slides
Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Her Special thanks Robert Haist, DCSO Victor Julien, lead developer suricata,

598 views • 29 slides
Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 1 / 43 Eric Leblond a.k.a Regit French Network security expert Free Software

667 views • 47 slides
Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 1 / 52 Eric Leblond a.k.a Regit French Network security expert Free

536 views • 42 slides
Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien

Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien

Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien @inliniac http://www.inliniac.net/ Content of this talk Introduction to Suricata, OISF Eric Leblond will speak about recent

580 views • 47 slides
Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60 Netfilter 1 Nftables Tables and chains Rules Suricata

1.09k views • 75 slides
Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF)

Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF)

Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 1 / 40 Some word about me Eric Leblond French Previously, co-founder and CTO of EdenWall

2.73k views • 62 slides
Suricata IDPS and Linux kernel . Leblond, G. Longo Stamus Networks February 10, 2016 .

Suricata IDPS and Linux kernel . Leblond, G. Longo Stamus Networks February 10, 2016 .

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Suricata IDPS and Linux kernel . Leblond, G. Longo Stamus Networks February 10, 2016 . Leblond, G. Longo (Stamus Networks)

941 views • 46 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
Dynamite-NSM Open-source project for network traffic analysis with Zeek, Suricata, Flow Data and

Dynamite-NSM Open-source project for network traffic analysis with Zeek, Suricata, Flow Data and

Oleg Sinitsin | Dynamite.AI Dynamite-NSM Open-source project for network traffic analysis with Zeek, Suricata, Flow Data and ELK Dynamite Analytics | Dynamite.AI Dynamite Analytics | Dynamite.AI 2 Dynamite Analytics | Dynamite.AI 3

559 views • 20 slides
Fighting Malware Luis Corrons PandaLabs Technical Director 1 Who is behind this? Who is behind

Fighting Malware Luis Corrons PandaLabs Technical Director 1 Who is behind this? Who is behind

Fighting Malware Luis Corrons PandaLabs Technical Director 1 Who is behind this? Who is behind this? Yesterday s Bad Guys s Bad Guys Yesterday Blaster.B Nestky / Sasser CIH 29-A Jeffrey Lee Parson

777 views • 52 slides
Fighting Malware With GPUs In Real Time Peter Kovac kovac@avast.com www.avast.com Introduction

Fighting Malware With GPUs In Real Time Peter Kovac kovac@avast.com www.avast.com Introduction

Fighting Malware With GPUs In Real Time Peter Kovac kovac@avast.com www.avast.com Introduction Sensor network Few hundred million of user machines Hundreds of thousands new files every day Most of them clean files Thousands

1.5k views • 25 slides
Jasper Bongertz, Airbus CyberSecurity @packetjay Scanning for network IoCs is relatively easy:

Jasper Bongertz, Airbus CyberSecurity @packetjay Scanning for network IoCs is relatively easy:

Jasper Bongertz, Airbus CyberSecurity @packetjay Scanning for network IoCs is relatively easy: use an IDS/IPS snort, suricata, commercial appliances Perform live traffic analysis, or from PCAPs @packetjay IDS scan can easily result

380 views • 7 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
T riple Handshake: can cryptography, formal methods, and applied security be friends?

T riple Handshake: can cryptography, formal methods, and applied security be friends?

T riple Handshake: can cryptography, formal methods, and applied security be friends? http://miTLS.org Karthik Bhargavan Markulf Kohlweiss with Antoine Delignat-Lavaud, Cdric Fournet, Alfredo Pironti, Pierre-Yves Strub, Santiago Zanella

639 views • 46 slides
Shared Situation Awareness: The Tactical Situation Object Initially defined in the frame of the EU

Shared Situation Awareness: The Tactical Situation Object Initially defined in the frame of the EU

Shared Situation Awareness: The Tactical Situation Object Initially defined in the frame of the EU project Now published as a CEN workshop agreement Martine Couturier, EADS Defence &amp; Security

634 views • 14 slides
A Formal TLS Handshake Model in LNT Josip Bozic, Franz Wotawa Lina Marsso, Radu Mateescu Graz

A Formal TLS Handshake Model in LNT Josip Bozic, Franz Wotawa Lina Marsso, Radu Mateescu Graz

0 0 A Formal TLS Handshake Model in LNT Josip Bozic, Franz Wotawa Lina Marsso, Radu Mateescu Graz University of Technology Univ. Grenoble Alpes, Inria, Institute of Software Technology CNRS, Grenoble INP, LIG 38000 Grenoble, France 8010

603 views • 31 slides
Lecture for February 10, 2016 ECS 235A UC Davis Matt Bishop February 10, 2016 ECS 235A, Matt

Lecture for February 10, 2016 ECS 235A UC Davis Matt Bishop February 10, 2016 ECS 235A, Matt

Lecture for February 10, 2016 ECS 235A UC Davis Matt Bishop February 10, 2016 ECS 235A, Matt Bishop Slide #1 Supporting Crypto All parts of SSL use them Initial phase: public key system exchanges keys Messages enciphered using

856 views • 63 slides
Wireless Access Protocol Wireless Access Protocol (WAP) (WAP) NiePin &amp; Zhou &amp; Zhou Hu

Wireless Access Protocol Wireless Access Protocol (WAP) (WAP) NiePin &amp; Zhou &amp; Zhou Hu

Wireless Access Protocol Wireless Access Protocol (WAP) (WAP) NiePin &amp; Zhou &amp; Zhou Hu Hu NiePin HUT HUT TML Latoratory Latoratory TML T- -110.456 110.456 T Agenda Agenda WAP Introduction WAP Introduction

475 views • 22 slides
Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

CSS441 Internet Security Web Security TLS/SSL Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

832 views • 32 slides
Algorithms Slides Emanuele Viola 2009 present Released under Creative Commons License

Algorithms Slides Emanuele Viola 2009 present Released under Creative Commons License

Algorithms Slides Emanuele Viola 2009 present Released under Creative Commons License Attribution-Noncommercial-No Derivative Works 3.0 United States http://creativecommons.org/licenses/by-nc-nd/3.0/us/ Also, let me know if you use

1.28k views • 82 slides
Intro to CS16 CS16: Introduction to Algorithms &amp; Data Structures Spring 2020 Welcome to

Intro to CS16 CS16: Introduction to Algorithms &amp; Data Structures Spring 2020 Welcome to

Intro to CS16 CS16: Introduction to Algorithms &amp; Data Structures Spring 2020 Welcome to CS16! Seny Kamara Doug Woos Meet your TAs What is 16 about? Algorithms sequence of computer instructions for a given task Web Search in

670 views • 28 slides

More recommend