suricata 2 0 netfilter and the prc
play

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks - PowerPoint PPT Presentation

Jul 20, 2023 •114 likes •536 views

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 1 / 52 Eric Leblond a.k.a Regit French Network security expert Free

  1. Suricata 2.0, Netfilter and the PRC Éric Leblond Stamus Networks April 26, 2014 Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 1 / 52

  2. Eric Leblond a.k.a Regit French Network security expert Free Software enthousiast NuFW project creator (Now ufwi), EdenWall co-founder Netfilter developer: Maintainer of ulogd2: Netfilter logging daemon Misc contributions: NFQUEUE library and associates Port of some features iptables to nftables Currently: co-founder of Stamus Networks, a company providing Suricata based network probe appliances. Suricata IDS/IPS funded developer Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 2 / 52

  3. What is Suricata IDS and IPS engine Get it here: http://www.suricata-ids.org Open Source (GPLv2) Funded by US government and consortium members Run by Open Information Security Foundation (OISF) More information about OISF at http://www. openinfosecfoundation.org/ Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 5 / 52

  4. Suricata Features High performance, scalable through multi threading Protocol identification File identification, extraction, on the fly MD5 calculation TLS handshake analysis, detect/prevent things like Diginotar Hardware acceleration support: Endace Napatech, CUDA PF_RING Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 6 / 52

  5. Suricata Features Rules and outputs compatible to Snort syntax useful logging like HTTP request log, TLS certificate log, DNS logging Lua scripting for detection Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 7 / 52

  6. Suricata capture modes IDS pcap: multi OS capture pf_ring: Linux high performance af_packet: Linux high performance on vanilla kernel . . . IPS NFQUEUE: Using Netfilter on Linux ipfw: Use divert socket on FreeBSD af_packet: Level 2 software bridge Offline analysis Pcap: Analyse pcap files Unix socket: Use Suricata for fast batch processing of pcap files Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 8 / 52

  7. Suricata 2.0 new features ’EVE’ logging, our all JSON output for events: alerts, HTTP , DNS, SSH, TLS and (extracted) files much improved VLAN handling a detectionless ‘NSM’ runmode much improved CUDA performance Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 9 / 52

  8. libhtp Security oriented HTTP parser Written by Ivan Risti´ c (ModSecurity, IronBee) Support of several keywords http_method http_uri & http_raw_uri http_client_body & http_server_body http_header & http_raw_header http_cookie serveral more. . . Able to decode gzip compressed flows Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 11 / 52

  9. Using HTTP features in signature Signature example: Chat facebook a l e r t http $HOME_NET any − > $EXTERNAL_NET any \ ( msg: "ET CHAT Facebook Chat ( send message ) " ; \ flow : established , to_server ; content : "POST" ; http_method ; \ content : " / ajax / chat / send . php " ; h t t p _ u r i ; content : " facebook .com" ; http_header ; \ classtype : policy − v i o l a t i o n ; reference : url , doc . emergingthreats . net /2010784; \ reference : url ,www. emergingthreats . net / cgi − bin / cvsweb . cgi / sigs / POLICY / POLICY_Facebook_Chat ; \ sid :2010784; rev : 4 ; \ ) This signature tests: The HTTP method: POST The page: /ajax/chat/send.php The domain: facebook.com Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 12 / 52

  10. Extraction and inspection of files Get files from HTTP downloads and uploads Detect information about the file using libmagic Type of file Other details Author (if available) A dedicated extension of signature language SMTP support coming soon Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 13 / 52

  11. Dedicated keywords filemagic : description of content a l e r t http any any − > any any (msg: " windows exec " ; \ filemagic : " executable f o r MS Windows" ; sid : 1 ; rev : 1 ; ) filestore : store file for inspection a l e r t http any any − > any any (msg: " windows exec " ; filemagic : " executable f o r MS Windows" ; \ f i l e s t o r e ; sid : 1 ; rev : 1 ; ) fileext : file extension a l e r t http any any − > any any (msg: " jpg claimed , but not jpg f i l e " ; \ f i l e e x t : " jpg " ; \ filemagic : ! "JPEG image data " ; sid : 1 ; rev : 1 ; ) filename : file name a l e r t http any any − > any any (msg: " s e n s i t i v e f i l e leak " ; filename : " secret " ; sid : 1 ; rev : 1 ; ) Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 14 / 52

  12. Examples Files sending on a server only accepting PDF a l e r t http $EXTERNAL_NET − > $WEBSERVER any (msg: " suspicious upload " ; \ flow : established , to_server ; content : "POST" http_method ; \ content : " / upload . php " ; h t t p _ u r i ; \ filemagic : ! "PDF document " ; \ f i l e s t o r e ; sid : 1 ; rev : 1 ; ) Private keys in the wild a l e r t http $HOME_NET any − > $EXTERNAL_NET any (msg: " outgoing p ri v a t e key " ; \ filemagic : "RSA p ri v a t e key " ; sid : 1 ; rev : 1 ; ) Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 15 / 52

  13. Disk storage Every file can be stored to disk with a metadata file Disk usage limit can be set Scripts for looking up files / file md5’s at Virus Total and others Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 16 / 52

  14. A TLS handshake parser No traffic decryption Method Analyse of TLS handshake Parsing of TLS messages A security-oriented parser Coded from scratch Provide a hackable code-base for the feature No external dependency (OpenSSL or GNUtls) Contributed by Pierre Chifflier (ANSSI) With security in mind: Resistance to attacks (audit, fuzzing) Anomaly detection Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 17 / 52

  15. A handshake parser The syntax a l e r t tcp $HOME_NET any − > $EXTERNAL_NET 443 becomes a l e r t t l s $HOME_NET any − > $EXTERNAL_NET any Interest: No dependency to IP params Pattern matching is limited to identified protocol Less false positive More performance Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 18 / 52

  16. TLS keywords tls.version : Match protocol version number tls.subject : Match certificate subject tls.issuerdn : Match the name of the CA which has signed the key tls.fingerprint : Match the fingerprint of the certificate tls.store : Store certificates chain and a meta file on disk Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 19 / 52

  17. Example: verify security policy (1/2) Environnement: A company with servers With an official PKI The goal: Verify that the PKI is used Without working too much Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 20 / 52

  18. Example: verify security policy (2/2) Let’s check that the certificates used when a client negotiate a connection to one of our servers are the good one The signature: a l e r t t l s any any − > $SERVERS any ( t l s . issuerdn : ! "C=NL, O=Staat der Nederlanden , \ CN=Staat der Nederlanden Root CA" ; ) Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 21 / 52

  19. Luajit rules Rule language is really simple Some tests are really difficult to write Logic can be obtained via flow counters (flowbit) usage But numerous rules are necessary A true language can permit to Simplify some things Realize new things Experimental rules: https://github.com/EmergingThreats/et-luajit-scripts Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 22 / 52

  20. Lua Declaring a rule a l e r t tcp any any − > any any (msg: " Lua rule " ; l u a j i t : t e s t . lua ; sid : 1 ; ) An example script function i n i t ( args ) l o c a l needs = { } needs [ " http . request_line " ] = t o s t r i n g ( true ) return needs end − match i f packet and payload both contain HTTP − function match ( args ) a = t o s t r i n g ( args [ " http . request_line " ] ) i f #a > 0 then i f a : f i n d ( " ^POST %s +/. ∗ %.php%s+HTTP/1.0 $" ) then return 1 end end return 0 end Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 23 / 52

  21. heartbleed The challenge No parsing of heartbeat, so hard solution Need pattern matching Easy to escape Poor man solution a l e r t tcp any any − > any $TLS_PORTS ( content : " |18 03 02| " ; depth : 3; \ content : " | 0 1 | " ; distance : 2; wi thin : 1; content : ! " | 0 0 | " ; w ithin : 1; \ msg: "TLSv1.1 Malicious Heartbleed RequestV2 " ; sid : 3 ; ) Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 25 / 52

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 1 / 43 Eric Leblond a.k.a Regit French Network security expert Free Software

667 views • 47 slides
Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as a SSL monitor Suricata as a passive DNS probe Suricata as a flow probe Suricata as a malware detector VirtualBox setup File ->

1.16k views • 78 slides
netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte <laforge@netfilter.org> 1 netfilter/iptables tutorial Contents Day 1 Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP

342 views • 20 slides
Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60 Netfilter 1 Nftables Tables and chains Rules Suricata

1.09k views • 75 slides
Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 . Leblond (OISF) Suricata and XDP Nov. 29, 2018 1 / 43 Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet

786 views • 59 slides
Netfilter updates: NetDev 2.1 <pablo@netfilter.org> Pablo Neira Ayuso What does this

Netfilter updates: NetDev 2.1 <pablo@netfilter.org> Pablo Neira Ayuso What does this

Netfilter updates: NetDev 2.1 <pablo@netfilter.org> Pablo Neira Ayuso What does this presentation cover? Not a tutorial... but incremental updates on Netfilter and nf_tables. For those new to nftables: See

615 views • 35 slides
BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

Bro Befriends Suricata 23/09/16 20 : 23 BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski @michalpurzynski / Scripts are here - https://github.com/michalpurzynski

894 views • 47 slides
Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Her Special thanks Robert Haist, DCSO Victor Julien, lead developer suricata,

598 views • 29 slides
Netfilter updates since last NetDev NetDev 2.2, Seoul, Korea (Nov 2017)

Netfilter updates since last NetDev NetDev 2.2, Seoul, Korea (Nov 2017)

Netfilter updates since last NetDev NetDev 2.2, Seoul, Korea (Nov 2017) <pablo@netfilter.org> Pablo Neira Ayuso What does this cover? Not a tutorial Incremental updates already upstream Ongoing development efforts

372 views • 21 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org>

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org>

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org> Proyecto Netfilter <pneira@us.es> University of Sevilla Outline Introduction: Stateless and stateful firewalls Fault-Tolerance

442 views • 21 slides
Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien

Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien

Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien @inliniac http://www.inliniac.net/ Content of this talk Introduction to Suricata, OISF Eric Leblond will speak about recent

580 views • 47 slides
A userspace API for netfilter control Netfilter Workshop 2007, Karlsruhe Sebastian Kiesel, Jochen

A userspace API for netfilter control Netfilter Workshop 2007, Karlsruhe Sebastian Kiesel, Jochen

INSTITUT FR INSTITUT FR NACHRICHTENVERMITTLUNG KOMMUNIKATIONSNETZE Universitt Stuttgart Universitt Stuttgart UND DATENVERARBEITUNG UND RECHNERSYSTEME Prof. Dr.-Ing. Dr. h. c. mult. P. J. Khn Prof. Dr.-Ing. Dr. h. c. mult. P. J.

794 views • 26 slides
Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF)

Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF)

Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 1 / 40 Some word about me Eric Leblond French Previously, co-founder and CTO of EdenWall

2.73k views • 62 slides
DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

822 views • 38 slides
RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted

RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted

https://res212.telecom-paristech.fr TP02v1 2018/05/31 RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted with the design, configuration and testing of firewalls. Given the limited amount of time,

736 views • 14 slides
entries and exits: contrasting pathw ays to com m unity reentry Chris Uggen w ith Arturo

entries and exits: contrasting pathw ays to com m unity reentry Chris Uggen w ith Arturo

entries and exits: contrasting pathw ays to com m unity reentry Chris Uggen w ith Arturo Baiocchi, Jeanette Hussem ann, Shelly Schaefer, Sarah Shannon, and Tom W alton University of Minnesota 10/29/2008 1 research? community research

860 views • 35 slides
Running on Empty: Sustain Yourself First! Being the Healthy and Balanced Role Model That

Running on Empty: Sustain Yourself First! Being the Healthy and Balanced Role Model That

Running on Empty: Sustain Yourself First! Being the Healthy and Balanced Role Model That First-Year Students Need Chris Benson Associate Dean of Academic Advising & FYE, Madonna University cbenson@madonna.edu Nicole Nagy FYE

107 views • 7 slides
Good Morning. It has been a rich few days with you. Thank you for sharing insights, laughter,

Good Morning. It has been a rich few days with you. Thank you for sharing insights, laughter,

Slide 1 Good Morning. It has been a rich few days with you. Thank you for sharing insights, laughter, conversation and depth of liturgical worship. This morning we have the immense task of talking about mental health recovery. And if that

438 views • 7 slides
The Sun Corridor as a Mountain Mega One of Americas Newest Metropolitan Places and a

The Sun Corridor as a Mountain Mega One of Americas Newest Metropolitan Places and a

The Sun Corridor as a Mountain Mega One of Americas Newest Metropolitan Places and a Federal Partnership to Help It Prosper Arizona State University Mark Muro and Robert Lang November 21, 2008 Mountain Megas Context Mega-trends

954 views • 64 slides
Exploring Fear in Creativity Initial experiences and considerations from a

Exploring Fear in Creativity Initial experiences and considerations from a

Exploring Fear in Creativity Initial experiences and considerations from a self-described-creative-scaredy-cat. (Who, consequently, is seeking help.) Lorna Riach December 5, 2011 It started with a promise. In fact, it was a two part promise.

444 views • 29 slides
RESILIENT THE HAGUE Anne-Marie Hitipeuw Chief Resilience Officer , City of The Hague COVID-19

RESILIENT THE HAGUE Anne-Marie Hitipeuw Chief Resilience Officer , City of The Hague COVID-19

RESILIENT THE HAGUE Anne-Marie Hitipeuw Chief Resilience Officer , City of The Hague COVID-19 and Heat: Concurrent Risks 18 June 2020 1. Common public health actions to reduce heat-related illness and death may need to be modified in

541 views • 21 slides
Stirling Renewable Heat Project Overview Partner Introductions LCITP Overview Funding

Stirling Renewable Heat Project Overview Partner Introductions LCITP Overview Funding

Stirling Renewable Heat Project Overview Partner Introductions LCITP Overview Funding Overview Project Overview Local Benefits Opportunities & Impacts Challenges & Risks Future Expansion Transferability

308 views • 14 slides
A Policy Model for Diffusion of Electricity Saving Technologies Even Bjrnstad and Sverre I.

A Policy Model for Diffusion of Electricity Saving Technologies Even Bjrnstad and Sverre I.

Drivkraft for fremtidsrettede energilsninger A Policy Model for Diffusion of Electricity Saving Technologies Even Bjrnstad and Sverre I. Heimdal Enova SF The Norwegian Energy Sector Dominated by rich renewable energy resources.

139 views • 13 slides

More recommend