suricata 2 0 netfilter and the prc
play

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks - PowerPoint PPT Presentation

Jan 09, 2024 •186 likes •667 views

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 1 / 43 Eric Leblond a.k.a Regit French Network security expert Free Software

  1. Suricata 2.0, Netfilter and the PRC Éric Leblond Stamus Networks July 8, 2014 Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 1 / 43

  2. Eric Leblond a.k.a Regit French Network security expert Free Software enthousiast NuFW project creator (Now ufwi), EdenWall co-founder Netfilter developer: Maintainer of ulogd2: Netfilter logging daemon Misc contributions: NFQUEUE library and associates Port of some features iptables to nftables Currently: co-founder of Stamus Networks, a company providing Suricata based network probe appliances. Suricata IDS/IPS funded developer Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 2 / 43

  3. Suricata 1 Introduction Give me more logging 2 Suricata EVE output Ulogd and JSON Elasticsearch, Logstash, Kibana What about the PRC ? 3 French hospitality 4 Conclusion 5 Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 3 / 43

  4. Suricata 1 Introduction Give me more logging 2 Suricata EVE output Ulogd and JSON Elasticsearch, Logstash, Kibana What about the PRC ? 3 French hospitality 4 Conclusion 5 Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 4 / 43

  5. What is Suricata IDS and IPS engine Get it here: http://www.suricata-ids.org Open Source (GPLv2) Funded by US government and consortium members Run by Open Information Security Foundation (OISF) More information about OISF at http://www. openinfosecfoundation.org/ Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 5 / 43

  6. Suricata Features High performance, scalable through multi threading Protocol identification File identification, extraction, on the fly MD5 calculation TLS handshake analysis, detect/prevent things like Diginotar Hardware acceleration support: Endace Napatech, CUDA PF_RING Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 6 / 43

  7. Suricata Features Rules and outputs compatible to Snort syntax useful logging like HTTP request log, TLS certificate log, DNS logging Lua scripting for detection Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 7 / 43

  8. Suricata capture modes IDS pcap: multi OS capture pf_ring: Linux high performance af_packet: Linux high performance on vanilla kernel . . . IPS NFQUEUE: Using Netfilter on Linux ipfw: Use divert socket on FreeBSD af_packet: Level 2 software bridge Offline analysis Pcap: Analyse pcap files Unix socket: Use Suricata for fast batch processing of pcap files Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 8 / 43

  9. Suricata 2.0 new features ’EVE’ logging, our all JSON output for events: alerts, HTTP , DNS, SSH, TLS and (extracted) files much improved VLAN handling a detectionless ‘NSM’ runmode much improved CUDA performance Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 9 / 43

  10. Suricata 1 Introduction Give me more logging 2 Suricata EVE output Ulogd and JSON Elasticsearch, Logstash, Kibana What about the PRC ? 3 French hospitality 4 Conclusion 5 Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 10 / 43

  11. Suricata 1 Introduction Give me more logging 2 Suricata EVE output Ulogd and JSON Elasticsearch, Logstash, Kibana What about the PRC ? 3 French hospitality 4 Conclusion 5 Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 11 / 43

  12. Let’s get rid of the 90’s Let’s kill unified2 Binary format without real design Dedicated to alert Very hard to extend No API on devel side We need something extensible To log alert and to log protocol request Easy to generate and easy to parse Extensible Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 12 / 43

  13. JavaScript Object Notation JSON JSON ( http://www.json.org/ ) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. An object is an unordered set of name/value pairs. Logging in JSON {"timestamp":"2012-02-05T15:55:06.661269", "src_ip":"173.194.34.51", "dest_ip":"192.168.1.22", "alert":{"action":"allowed",rev":1,"signature":"SURICATA TLS store"}} Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 13 / 43

  14. Alert The structure IP information are identical for all events and alert Follow Common Information Model Allow basic aggregation for all Suricata events and external sources Example {"timestamp":"2014-03-06T05:46:31.170567","event_type":"alert", "src_ip":"61.174.51.224","src_port":2555, "dest_ip":"192.168.1.129","dest_port":22,"proto":"TCP", "alert":{"action":"Pass","gid":1,"signature_id":2006435,"rev":8, "signature":"ET SCAN LibSSH Based SSH Connection - Often used as "category":"Misc activity","severity":3} } Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 14 / 43

  15. Network Security Monitoring Protocols HTTP File TLS SSH DNS Example {"timestamp":"2014-04-10T13:26:05.500472","event_type":"ssh", "src_ip":"192.168.1.129","src_port":45005, "dest_ip":"192.30.252.129","dest_port":22,"proto":"TCP", "ssh":{ "client":{ "proto_version":"2.0","software_version":"OpenSSH_6.6p1 Debian-2" }, "server":{ "proto_version":"2.0","software_version":"libssh-0.6.3"} } } Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 15 / 43

  16. Suricata 1 Introduction Give me more logging 2 Suricata EVE output Ulogd and JSON Elasticsearch, Logstash, Kibana What about the PRC ? 3 French hospitality 4 Conclusion 5 Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 16 / 43

  17. At the beginning was syslog Pre Netfilter days Flat packet logging One line per packet A lot of information Non searchable Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 17 / 43

  18. At the beginning was syslog Pre Netfilter days Flat packet logging One line per packet A lot of information Non searchable Not sexy INPUT DROP IN=eth0 OUT= MAC=00:1a:92:05:ee:68:00:b0:8e:83:3b:f0:08:00 SRC=62.212.121.211 DST=91.121.73.151 IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.23 DST=192.168.11.3 LEN=86 IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 17 / 43

  19. Ulogd2: complete Netfilter logging Ulogd2 Interact with the post 2.6.14 libraries multiple output and input through the use of stacks libnetfilter_log (generalized ulog) Packet logging IPv6 ready Few structural modification libnetfilter_conntrack (new) Connection tracking logging Accounting, logging libnetfilter_nfacct (added recently) High performance accounting Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 18 / 43

  20. Ulogd: output and configuration Sexify output Syslog and file output SQL output: PGSQL, MySQL, SQLite Graphite JSON output Some stack examples stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX, \ ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON stack=ct1:NFCT,mark1:MARK,ip2str1:IP2STR,pgsql2:PGSQL Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 19 / 43

  21. Ulogd Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 20 / 43

  22. Suricata 1 Introduction Give me more logging 2 Suricata EVE output Ulogd and JSON Elasticsearch, Logstash, Kibana What about the PRC ? 3 French hospitality 4 Conclusion 5 Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 21 / 43

  23. ELK Elasticsearch is a distributed restful search and analytics Full text search, schema free Apache 2 open source license ELK stack Elasticsearch Logstash: log shipping Kibana: web interface Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 22 / 43

  24. Logstash A tool for managing events and logs collect logs, parse them, and store them in different outputs elasticsearch graphite IRC . . . Apache 2.0 license A simple configuration (for JSON) input { file { path => [ "/var/log/suricata/eve.json", "/var/log/ulogd.json"] codec => json } } Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 23 / 43

  25. Kibana Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 24 / 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 1 / 52 Eric Leblond a.k.a Regit French Network security expert Free

536 views • 42 slides
Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as a SSL monitor Suricata as a passive DNS probe Suricata as a flow probe Suricata as a malware detector VirtualBox setup File ->

1.16k views • 78 slides
netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte <laforge@netfilter.org> 1 netfilter/iptables tutorial Contents Day 1 Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP

342 views • 20 slides
Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60 Netfilter 1 Nftables Tables and chains Rules Suricata

1.09k views • 75 slides
Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 . Leblond (OISF) Suricata and XDP Nov. 29, 2018 1 / 43 Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet

786 views • 59 slides
Netfilter updates: NetDev 2.1 <pablo@netfilter.org> Pablo Neira Ayuso What does this

Netfilter updates: NetDev 2.1 <pablo@netfilter.org> Pablo Neira Ayuso What does this

Netfilter updates: NetDev 2.1 <pablo@netfilter.org> Pablo Neira Ayuso What does this presentation cover? Not a tutorial... but incremental updates on Netfilter and nf_tables. For those new to nftables: See

615 views • 35 slides
BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

Bro Befriends Suricata 23/09/16 20 : 23 BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski @michalpurzynski / Scripts are here - https://github.com/michalpurzynski

894 views • 47 slides
Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Her Special thanks Robert Haist, DCSO Victor Julien, lead developer suricata,

598 views • 29 slides
Netfilter updates since last NetDev NetDev 2.2, Seoul, Korea (Nov 2017)

Netfilter updates since last NetDev NetDev 2.2, Seoul, Korea (Nov 2017)

Netfilter updates since last NetDev NetDev 2.2, Seoul, Korea (Nov 2017) <pablo@netfilter.org> Pablo Neira Ayuso What does this cover? Not a tutorial Incremental updates already upstream Ongoing development efforts

372 views • 21 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org>

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org>

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org> Proyecto Netfilter <pneira@us.es> University of Sevilla Outline Introduction: Stateless and stateful firewalls Fault-Tolerance

442 views • 21 slides
Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien

Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien

Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien @inliniac http://www.inliniac.net/ Content of this talk Introduction to Suricata, OISF Eric Leblond will speak about recent

580 views • 47 slides
A userspace API for netfilter control Netfilter Workshop 2007, Karlsruhe Sebastian Kiesel, Jochen

A userspace API for netfilter control Netfilter Workshop 2007, Karlsruhe Sebastian Kiesel, Jochen

INSTITUT FR INSTITUT FR NACHRICHTENVERMITTLUNG KOMMUNIKATIONSNETZE Universitt Stuttgart Universitt Stuttgart UND DATENVERARBEITUNG UND RECHNERSYSTEME Prof. Dr.-Ing. Dr. h. c. mult. P. J. Khn Prof. Dr.-Ing. Dr. h. c. mult. P. J.

794 views • 26 slides
Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF)

Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF)

Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 1 / 40 Some word about me Eric Leblond French Previously, co-founder and CTO of EdenWall

2.73k views • 62 slides
DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

822 views • 38 slides
RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted

RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted

https://res212.telecom-paristech.fr TP02v1 2018/05/31 RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted with the design, configuration and testing of firewalls. Given the limited amount of time,

736 views • 14 slides
MULTIFLEX - a Formalism and a Tool for the Computational Morphology of Multi-Word Units Agata

MULTIFLEX - a Formalism and a Tool for the Computational Morphology of Multi-Word Units Agata

MULTIFLEX - a Formalism and a Tool for the Computational Morphology of Multi-Word Units Agata SAVARY Universit Franois Rabelais Laboratoire dInformatique IUT de Blois IPI PAN Seminar Warszawa, Jan 5, 2007 Multi-Word Units (MWUs)

595 views • 34 slides
ARCHIVING & PRESERVING WEB CONTENT THE INTERNET ARCHIVE What? A non-profit digital library

ARCHIVING & PRESERVING WEB CONTENT THE INTERNET ARCHIVE What? A non-profit digital library

ARCHIVING & PRESERVING WEB CONTENT THE INTERNET ARCHIVE What? A non-profit digital library and archive Where? San Francisco, CA When? Who? Founded in 1996 by Brewster Kahle How? Officially designated a library by the state of California

427 views • 24 slides
A novel class of bispecific PSMA/GRPR targeting radioligands with optimized pharmacokinetics for

A novel class of bispecific PSMA/GRPR targeting radioligands with optimized pharmacokinetics for

Development of bispecific PSMA/GRPr targeting radioligands with optimized pharmacokinetics for PET imaging of prostate cancer Liolios C. 1 , Schfer M. 1 , Bauder-Wst U. 1 , Haberkorn U. 2 , Eder M. 1 , Kopka K. 1 1 Division of

321 views • 19 slides
Background markers of two languages. Urdu sE is used for different English prepositions in

Background markers of two languages. Urdu sE is used for different English prepositions in

11/16/2012 Presentation Plan Spatial markers in Background Semantics South Asian languages Polysemy Representation of Spatial markers Tafseer Ahmed A study of South Asian spatial markers University of Karachi Saptial

432 views • 11 slides
Introduction and Big Idea What are Numerical M Methods ? ? Numbers in a computer

Introduction and Big Idea What are Numerical M Methods ? ? Numbers in a computer

Introduction and Big Idea What are Numerical M Methods ? ? Numbers in a computer (and how computer understands these numbers) Mathematical model o algorithms derived from math ideas to solve equations numerically

302 views • 17 slides
Section 18: Mechanical Properties of Bone 18-1 From: Vanwanseele 18-2 Load-deformation

Section 18: Mechanical Properties of Bone 18-1 From: Vanwanseele 18-2 Load-deformation

Section 18: Mechanical Properties of Bone 18-1 From: Vanwanseele 18-2 Load-deformation Relationships 18-3 From: Brown From: Vanwanseele 18-4 From: Seeley 18-5 Bone Biomechanics Bone Biomechanics Bone is anisotropic - its modulus is

415 views • 16 slides
TAKING MORPHOLOGY SERIOUSLY: MEG STUDIES OF MORPHOLOGICAL REPRESENTATIONS Laura Gwilliams &

TAKING MORPHOLOGY SERIOUSLY: MEG STUDIES OF MORPHOLOGICAL REPRESENTATIONS Laura Gwilliams &

TAKING MORPHOLOGY SERIOUSLY: MEG STUDIES OF MORPHOLOGICAL REPRESENTATIONS Laura Gwilliams & Alec Marantz 17th International Morphology Meeting | Vienna | February 18th 2016 1 TODAYS QUESTIONS 1. What is represented? 2. How are

814 views • 40 slides
Melissa A. Gaither, VP IR and Global Communications 2 T his presentation contains forward -

Melissa A. Gaither, VP IR and Global Communications 2 T his presentation contains forward -

Randall C. Stuewe, Chairman and CEO Brad Phillips, EVP Chief Financial Officer Melissa A. Gaither, VP IR and Global Communications 2 T his presentation contains forward - looking statements regarding the business operations and prospects of

398 views • 18 slides

More recommend