observations on the modern nsm toolchest
play

Observations on the modern NSM toolchest Christian Kreibich - PowerPoint PPT Presentation

Mar 19, 2023 •258 likes •684 views

Observations on the modern NSM toolchest Christian Kreibich christian@lastline.com Bro4Pros, March 2016 1 About me 2 For the Bro oldtimers my fault 3 4 The open-source NSM toolchest... or ? 5 Background on Lastline 6 Lastline

  1. Observations on the modern NSM toolchest Christian Kreibich christian@lastline.com Bro4Pros, March 2016 1

  2. About me 2

  3. For the Bro oldtimers ← my fault 3

  4. 4

  5. The open-source NSM toolchest... or ? 5

  6. Background on Lastline 6

  7. Lastline is... ● A software platform for malware protection 7

  8. Lastline is... 8

  9. Linux & open-source everywhere ● Distribution based on Ubuntu packaging infrastructure, with added control ● MySQL, Cassandra, Hadoop, Ceph, RabbitMQ, ZeroMQ, Protobuf, Puppet, Ansible, Suricata, PF_RING, netmap, ... 9

  10. 10

  11. The Problem 11

  12. The Lastline Sensor needs to ... ● Match industry-standard signatures ● Parse a ton of protocols ● Carve files for analysis ● Match against blacklists ● Collect basic network telemetry (NetFlow, pDNS, …) ● Be modular & extensible ● Do a bunch of clever things I can’t talk about 12

  13. The Lastline Sensor needs to ... ● Match industry-standard signatures ● Parse a ton of protocols ● Carve files for analysis ● Match against blacklists ● Collect basic network telemetry (NetFlow, pDNS, …) ● Be modular & extensible ● Do a bunch of clever things I can’t talk about 13

  14. This doesn’t exist (as open-source) 14

  15. We have tools, but no toolchest Vortex, ... pf_ring netmap packetbricks pcap 15

  16. These tools don’t mix well Vortex, ... 16

  17. ? 17

  18. ? Nope. 18

  19. Wait, another Problem 19

  20. We keep implementing the same stuff 20

  21. Need a TCP reassembler? libnids: dead. Bro: ~3,000 lines with reusable core logic Snort: ~12,000 lines Suricata: ~10,000 lines (excluding unit tests) Wireshark: ~6,000 lines (excluding MPTCP) 21

  22. 22

  23. This also applies to signature matchers and protocol parsers 23

  24. It’s getting better, right? 24

  25. 25

  26. “Rewrite critical modules like TCP reassembly and HTTP inspection” 26

  27. Project Wishlist 27

  28. libreass ● (Okay, perhaps libtcp) ● A community-maintained TCP stream reassembler ● Including a testsuite of quirky TCP pcaps ● With bindings for popular languages ● Could also handle IP defrag or HTTP content-range 28

  29. libsigmatch ● A community-maintained signature matcher ● A de-facto community standard signature language ● Fun API challenge ● Pcap test library a plus 29

  30. libprotoparse ● A community-maintained protocol parser suite 30

  31. Oh wait... 31

  32. http://www.icir.org/hilti/ Modular, secure, reusable protocol parsing. 32

  33. Additional Thoughts 33

  34. Open-source release models matter ● Our mission is not to advance an open-source product. It is to advance our own product ● Working with a beta codebase to enjoy major fixes poses enormous risks ● Results in costly patch update rounds ● Supported stable releases increase adoption 34

  35. Licensing is really important ● Contagious licenses ensure open source ● Permissive licenses foster adoption ● Choose wisely! 35

  36. So... 36

  37. The open-source NSM toolchest... or ? 37

  38. The open-source NSM toolchest... or ? 38

  39. 39

  40. The open-source NSM toolchest 40

  41. To be fair: these are great tools 41

  42. Thanks! (btw, Lastline is hiring) Christian Kreibich christian@lastline.com @ckreibich 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

THE TOOLCHEST PROJECT GUIDED BY CHRISTOPHER SCHWARZ (POPULARWOODWORKING.COM) GROUP COMPOSITION

THE TOOLCHEST PROJECT GUIDED BY CHRISTOPHER SCHWARZ (POPULARWOODWORKING.COM) GROUP COMPOSITION

THE TOOLCHEST PROJECT GUIDED BY CHRISTOPHER SCHWARZ (POPULARWOODWORKING.COM) GROUP COMPOSITION Initially four members expressed interest, but when we started with the first meeting, only two could make it. Eventually only Anzette

292 views • 14 slides
Fundamental Observations Pillars of Modern Cosmological Paradigm Universe is homogeneous and

Fundamental Observations Pillars of Modern Cosmological Paradigm Universe is homogeneous and

Fundamental Observations Pillars of Modern Cosmological Paradigm Universe is homogeneous and isotropic Night Sky is Dark Linear Expansion Light Element Abundances Microwave Background Radiation + Statistics of Large-Scale Structures

420 views • 41 slides
MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise and purify our thoughts like a strain picture, or a passage from the grander poets. It always does one good. 5 MODERN 6 MODERN 7 MODERN 8

524 views • 24 slides
Responsible use of cephalosporins experience and observations Valrie Thom as I FAH-Europe

Responsible use of cephalosporins experience and observations Valrie Thom as I FAH-Europe

Responsible use of cephalosporins experience and observations Valrie Thom as I FAH-Europe Statem ent IFAH Europe fully supports the global frame of responsible use notably for modern antibiotics Overall industry made very positive

377 views • 8 slides
Surface Observations We now look at some hourly surface observations to study the frontal

Surface Observations We now look at some hourly surface observations to study the frontal

Surface Observations We now look at some hourly surface observations to study the frontal passages which occurred in association with the November 10, 1998 storm. Time-traces of pressure, surface wind, temperature and dew- point, together with

412 views • 20 slides
H6751 Summary Zhao Rui Agenda 1. Modern AI 2. Course Summary Modern AI Modern AI

H6751 Summary Zhao Rui Agenda 1. Modern AI 2. Course Summary Modern AI Modern AI

H6751 Summary Zhao Rui Agenda 1. Modern AI 2. Course Summary Modern AI Modern AI (90s-present) Stat Model :Pearl (1988) promote Bayesian networks in AI to model uncertainty (based on Bayes rule from 1700) Stat Model: infer the

441 views • 11 slides
Wonders of Modern Architecture Oh, the wonders of modern architecture! The geniuses of

Wonders of Modern Architecture Oh, the wonders of modern architecture! The geniuses of

Wonders of Modern Architecture Oh, the wonders of modern architecture! The geniuses of architecture today continue to create design masterpieces that could make one proud of being a citizen of the 21st Century! Enjoy the beauty of these modern

832 views • 52 slides
Use of observations in data assimilation Grald Desroziers Mto-France, Toulouse, France

Use of observations in data assimilation Grald Desroziers Mto-France, Toulouse, France

Use of observations in data assimilation Grald Desroziers Mto-France, Toulouse, France Outline Introduction Optimizing observation error statistics Ensembles based on a perturbation of observations Impact of observations

318 views • 13 slides
Apprenticeships Modern Apprenticeships Tackling Scotlands skills gap Modern

Apprenticeships Modern Apprenticeships Tackling Scotlands skills gap Modern

Modern and Graduate Apprenticeships Modern Apprenticeships Tackling Scotlands skills gap Modern Apprenticeships help employers to develop their workforce by training new staff, and upskilling existing employees. For individuals, an MA is

532 views • 6 slides
OBSERVATIONS OF GRBs IN VERY HIGH ENERGY REGIME OBSERVATIONS OF GRBs IN VERY HIGH ENERGY REGIME

OBSERVATIONS OF GRBs IN VERY HIGH ENERGY REGIME OBSERVATIONS OF GRBs IN VERY HIGH ENERGY REGIME

OBSERVATIONS OF GRBs IN VERY HIGH ENERGY REGIME OBSERVATIONS OF GRBs IN VERY HIGH ENERGY REGIME Alessandro Carosi INAF/ASI Science Data Center & University of Siena title FENOMENOLOGY OF GRB: Disovered in 1973 by Vela satellites: 12 GRB in

497 views • 33 slides
Modern Defense Tooling Artificial intelligence as a defense platform Ameen Altajer Modern

Modern Defense Tooling Artificial intelligence as a defense platform Ameen Altajer Modern

Modern Defense Tooling Artificial intelligence as a defense platform Ameen Altajer Modern Defense Tooling A drastic change in the modern AI landscape The work of both DeepMind and OpenAI is a testament of how things drastically changed Modern

700 views • 15 slides
Modern Mississippi Chapters 10-11 MS state flag, seal and Coat of Arms Chp 10 &11 (Modern

Modern Mississippi Chapters 10-11 MS state flag, seal and Coat of Arms Chp 10 &11 (Modern

Modern Mississippi Chapters 10-11 MS state flag, seal and Coat of Arms Chp 10 &11 (Modern MS) 2 Chp 10 &11 (Modern MS) 3 Modern Mississippi Statistics As of the year 2000, MS had a population of 2,844,658. The largest city

1.09k views • 60 slides
Recent Highlights from AGN Observations with Fermi-LAT Observations with Fermi-LAT

Recent Highlights from AGN Observations with Fermi-LAT Observations with Fermi-LAT

Sep.12, 2009 JSPS meeting @Konan Univ. JSPS meet ng @Konan Un v. Recent Highlights from AGN Observations with Fermi-LAT Observations with Fermi-LAT Jun KATAOKA (/) on

658 views • 24 slides
Wrap-up Whats the output? What we heard Observations DNT and Policy

Wrap-up Whats the output? What we heard Observations DNT and Policy

Wrap-up Whats the output? What we heard Observations DNT and Policy and Beyond Observations EU cookie directive, legal aspects of behavioral targeting user studies: attitudes, usability, what do

297 views • 8 slides
Using Modern C++ In Anger Todd L. Montgomery @toddlmontgomery Aeron and C++? What

Using Modern C++ In Anger Todd L. Montgomery @toddlmontgomery Aeron and C++? What

StoneTor Using Modern C++ In Anger Todd L. Montgomery @toddlmontgomery Aeron and C++? What constitutes Modern C++ ? How Aeron Adopts Modern C++? What Lessons were learned? Whats Next ? Aeron and C++? Truly modern

2.03k views • 98 slides
CONSULTANT TEAM PRESENTATION ON PA SEPT 14 REVISED PLAN September 27, 2018 AGENDA

CONSULTANT TEAM PRESENTATION ON PA SEPT 14 REVISED PLAN September 27, 2018 AGENDA

CONSULTANT TEAM PRESENTATION ON PA SEPT 14 REVISED PLAN September 27, 2018 AGENDA Introduction High level Plan metrics Cross-Cutting Observations C&I Observations Residential Observations Low Income Observations

909 views • 31 slides
!"#$%&' +,-./,.-01+,-./,.-02/3456-78398 +0:.09/01+,-./,.-02/3456-78398

!"#$%&' +,-./,.-01+,-./,.-02/3456-78398 +0:.09/01+,-./,.-02/3456-78398

!"#$%&' +,-./,.-01+,-./,.-02/3456-78398 +0:.09/01+,-./,.-02/3456-78398 (6-/2;<2(6-,71=0934 ;8878,69,2;>?.9/,2@-3A0883- B056-,409,23A2'735C6-46/0.,7/6D2+/709/08 E0F-.6-G2$H ,C I2"!!& '()"!* !"#$%#!&

1.52k views • 107 slides
CDC Update Regarding Aerosol vs. Airborne vs. Droplet Transmission &

CDC Update Regarding Aerosol vs. Airborne vs. Droplet Transmission &

CDC Update Regarding Aerosol vs. Airborne vs. Droplet Transmission & Protection David Reznik, DDS Gary Severance, DDS Director of the Oral Health Center of Executive Leader of Professional Grady Health Systems

721 views • 35 slides
Formulation of Privacy What information can be published? Average height of US people

Formulation of Privacy What information can be published? Average height of US people

Zhenjie Zhang Advanced Digital Sciences Center, Singapore (Thanks to Xiaokui Xiao for contributing slides) Formulation of Privacy What information can be published? Average height of US people Height of an individual Intuition:

513 views • 33 slides
Approximability of Dodgsons Rule John McCabe-Dansted Department of Computer Science

Approximability of Dodgsons Rule John McCabe-Dansted Department of Computer Science

Approximability of Dodgsons Rule John McCabe-Dansted Department of Computer Science University of West Australia Geoffrey Pritchard Department of Statistics The University of Auckland Arkadii Slinko Department of Mathematics

481 views • 13 slides
Reading Wikipedia to Answer Open-Domain Questions Authors - Danqi Chen Introduction

Reading Wikipedia to Answer Open-Domain Questions Authors - Danqi Chen Introduction

Reading Wikipedia to Answer Open-Domain Questions Authors - Danqi Chen Introduction Answering factoid questions in an open-domain setting Using Wikipedia as the unique knowledge source Document Retriever Articles and questions are

757 views • 39 slides
Statistical Inference on Large Contingency Tables: Convergence, Testability, Stability Marianna

Statistical Inference on Large Contingency Tables: Convergence, Testability, Stability Marianna

Preliminaries Convergence of contingency tables Testability Homogeneous partitions, spectra Application References Statistical Inference on Large Contingency Tables: Convergence, Testability, Stability Marianna Bolla Institute of

839 views • 60 slides
SELECT THE RIGHT ABSTRACT INTERESTINGNESS MEASURE FOR ASSOCIATION PATTERNS Many techniques

SELECT THE RIGHT ABSTRACT INTERESTINGNESS MEASURE FOR ASSOCIATION PATTERNS Many techniques

SELECT THE RIGHT ABSTRACT INTERESTINGNESS MEASURE FOR ASSOCIATION PATTERNS Many techniques for association rule mining and feature selection require a suitable metric to capture the dependencies among variables in a data set. Pang-Ning

273 views • 9 slides
Chapter 11 Categorical Data Analysis Categorical Data and the Multinomial Distribution

Chapter 11 Categorical Data Analysis Categorical Data and the Multinomial Distribution

Chapter 11 Categorical Data Analysis Categorical Data and the Multinomial Distribution Properties of the Multinomial Experiment 1. Experiment has n identical trials 2. There are k possible outcomes to each trial, called classes, categories or

231 views • 12 slides

More recommend