SLIDE 1
Observations on the modern NSM toolchest
Christian Kreibich
christian@lastline.com
Bro4Pros, March 2016
1
About me
2
Observations on the modern NSM toolchest Christian Kreibich - - PowerPoint PPT Presentation
Observations on the modern NSM toolchest Christian Kreibich - - PowerPoint PPT Presentation
Observations on the modern NSM toolchest Christian Kreibich christian@lastline.com Bro4Pros, March 2016 1 About me 2 For the Bro oldtimers my fault 3 4 The open-source NSM toolchest... or ? 5 Background on Lastline 6 Lastline
SLIDE 2
SLIDE 3
For the Bro oldtimers
3
← my fault
SLIDE 4
4
SLIDE 5
The open-source NSM toolchest...
5
- r
?
SLIDE 6
Background on Lastline
6
SLIDE 7
Lastline is...
7
- A software platform for malware protection
SLIDE 8
Lastline is...
8
SLIDE 9
Linux & open-source everywhere
9
- Distribution based on Ubuntu packaging
infrastructure, with added control
- MySQL, Cassandra, Hadoop, Ceph, RabbitMQ,
ZeroMQ, Protobuf, Puppet, Ansible, Suricata, PF_RING, netmap, ...
SLIDE 10
10
SLIDE 11
The Problem
11
SLIDE 12
The Lastline Sensor needs to ...
12
- Match industry-standard signatures
- Parse a ton of protocols
- Carve files for analysis
- Match against blacklists
- Collect basic network telemetry (NetFlow, pDNS, …)
- Be modular & extensible
- Do a bunch of clever things I can’t talk about
SLIDE 13
The Lastline Sensor needs to ...
13
- Match industry-standard signatures
- Parse a ton of protocols
- Carve files for analysis
- Match against blacklists
- Collect basic network telemetry (NetFlow, pDNS, …)
- Be modular & extensible
- Do a bunch of clever things I can’t talk about
SLIDE 14
This doesn’t exist
(as open-source)
14
SLIDE 15
15
We have tools, but no toolchest
Vortex, ... netmap pcap pf_ring packetbricks
SLIDE 16
16
These tools don’t mix well
Vortex, ...
SLIDE 17
17
?
SLIDE 18
18
? Nope.
SLIDE 19
Wait, another Problem
19
SLIDE 20
We keep implementing the same stuff
20
SLIDE 21
Need a TCP reassembler?
libnids: dead. Bro: ~3,000 lines with reusable core logic Snort: ~12,000 lines Suricata: ~10,000 lines (excluding unit tests) Wireshark: ~6,000 lines (excluding MPTCP)
21
SLIDE 22
22
SLIDE 23
This also applies to signature matchers and protocol parsers
23
SLIDE 24
It’s getting better, right?
24
SLIDE 25
25
SLIDE 26
26
“Rewrite critical modules like TCP reassembly and HTTP inspection”
SLIDE 27
Project Wishlist
27
SLIDE 28
libreass
28
- (Okay, perhaps libtcp)
- A community-maintained TCP stream reassembler
- Including a testsuite of quirky TCP pcaps
- With bindings for popular languages
- Could also handle IP defrag or HTTP content-range
SLIDE 29
libsigmatch
29
- A community-maintained signature matcher
- A de-facto community standard signature language
- Fun API challenge
- Pcap test library a plus
SLIDE 30
libprotoparse
30
- A community-maintained protocol parser suite
SLIDE 31
Oh wait...
31
SLIDE 32
http://www.icir.org/hilti/ Modular, secure, reusable protocol parsing.
32
SLIDE 33
Additional Thoughts
33
SLIDE 34
Open-source release models matter
34
- Our mission is not to advance an open-source
- product. It is to advance our own product
- Working with a beta codebase to enjoy major fixes
poses enormous risks
- Results in costly patch update rounds
- Supported stable releases increase adoption
SLIDE 35
Licensing is really important
35
- Contagious licenses ensure
- pen source
- Permissive licenses foster
adoption
- Choose wisely!
SLIDE 36
So...
36
SLIDE 37
The open-source NSM toolchest...
37
- r
?
SLIDE 38
The open-source NSM toolchest...
38
- r
?
SLIDE 39
39
SLIDE 40
40
The open-source NSM toolchest
SLIDE 41
41
To be fair: these are great tools
SLIDE 42
42
Thanks!
(btw, Lastline is hiring) Christian Kreibich
christian@lastline.com @ckreibich