suricata idps and linux kernel
play

Suricata IDPS and Linux kernel . Leblond, G. Longo Stamus Networks - PowerPoint PPT Presentation

Mar 07, 2024 •464 likes •941 views

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Suricata IDPS and Linux kernel . Leblond, G. Longo Stamus Networks February 10, 2016 . Leblond, G. Longo (Stamus Networks)

  1. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Suricata IDPS and Linux kernel É. Leblond, G. Longo Stamus Networks February 10, 2016 É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 1 / 28

  2. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Suricata 1 Introduction Streaming Performance Suricata and Linux kernel 2 AF_PACKET NFQUEUE Suricata and offloading 3 Interest of offloading Implementation of framework Use it with NFQ Other Methods Conclusion 4 É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 1 / 28

  3. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Suricata 1 Introduction Streaming Performance Suricata and Linux kernel 2 AF_PACKET NFQUEUE Suricata and offloading 3 Interest of offloading Implementation of framework Use it with NFQ Other Methods Conclusion 4 É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 1 / 28

  4. What is Suricata Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) IDS and IPS engine Get it here: http://www.suricata-ids.org Open Source (GPLv2) Initially publicly funded now funded by consortium members Run by Open Information Security Foundation (OISF) More information about OISF at http://www. openinfosecfoundation.org/ É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 2 / 28

  5. Suricata Features Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) High performance, scalable through multi threading Advanced Protocol handling Protocol recognition Protocol analysis: field extraction, filtering keywords Transaction logging in extensible JSON format File identification, extraction, on the fly MD5 calculation HTTP SMTP TLS handshake analysis, detect/prevent things like Diginotar Lua scripting for detection Hardware acceleration support: Endace Napatech, CUDA PF_RING É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 3 / 28

  6. Suricata capture modes Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) IDS pcap: multi OS capture af_packet: Linux high performance on vanilla kernel netmap: FreeBSD high performance NFLOG: Netfilter logging IPS NFQUEUE: Using Netfilter on Linux ipfw: Use divert socket on FreeBSD af_packet: Level 2 software bridge Offline analysis Pcap: Analyse pcap files Unix socket: Use Suricata for fast batch processing of pcap files É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 4 / 28

  7. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Suricata 1 Introduction Streaming Performance Suricata and Linux kernel 2 AF_PACKET NFQUEUE Suricata and offloading 3 Interest of offloading Implementation of framework Use it with NFQ Other Methods Conclusion 4 É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 4 / 28

  8. Evasion technics Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Fooling detection Get your activity unnoticed Complete your attack and stay in place Principle Signature-based IDS relay on packet content Modification of traffic could be used to avoid detection Without changing the impact of the attack É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 5 / 28

  9. Play on interpretation issue Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) OS-based evasion All OS do not react the same RFC are incomplete. Improvisations have been made. Variation of traffic for a same flow is possible Overlapping Fragments Application-based evasion Different servers can treat the same request differently. No web server are treating a twice used argument the same way. É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 6 / 28

  10. Personnality Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Personnality IDS implements personnality It is possible to associate network and OS type For Suricata, HTTP servers can be personnified too. Suricata configuration host − os − policy : # Make the d ef a u lt po licy windows . windows : [ 0 . 0 . 0 . 0 / 0 ] bsd : [ ] bsd − r i g h t : [ ] old − l i n u x : [ ] l i n u x : [ 1 0 . 0 . 0 . 0 / 8 ] É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 7 / 28

  11. Suricata reconstruction and normalization Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 8 / 28

  12. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Suricata 1 Introduction Streaming Performance Suricata and Linux kernel 2 AF_PACKET NFQUEUE Suricata and offloading 3 Interest of offloading Implementation of framework Use it with NFQ Other Methods Conclusion 4 É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 8 / 28

  13. A typical signature example Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Signature example: Chat facebook a l e r t http $HOME_NET any − > $EXTERNAL_NET any \ ( msg: "ET CHAT Facebook Chat ( send message ) " ; \ flow : established , to_server ; content : "POST" ; http_method ; \ content : " / ajax / chat / send . php " ; h t t p _ u r i ; content : " facebook .com" ; http_host ; \ content : " netdev " ; http_client_body ; reference : url ,www. emergingthreats . net / cgi − bin / cvsweb . cgi / sigs / POLICY / POLICY_Facebook_Chat ; \ sid :2010784; rev : 4 ; \ ) This signature tests: The HTTP method: POST The page: /ajax/chat/send.php The domain: facebook.com The body content: netdev É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 9 / 28

  14. No passthrough Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) All signatures are inspected Different from a firewall More than 15000 signatures in standard rulesets Optimization on detection engine Tree pre filtering approach to limit the set of signatures to test Multi pattern matching on some buffers É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 10 / 28

  15. CPU intensive Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 11 / 28

  16. Perf top Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 12 / 28

  17. Scalability Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Bandwith per core is limited From 150Mb/s To 500Mb/s Scaling Using RSS Splitting load on workers É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 13 / 28

  18. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Suricata 1 Introduction Streaming Performance Suricata and Linux kernel 2 AF_PACKET NFQUEUE Suricata and offloading 3 Interest of offloading Implementation of framework Use it with NFQ Other Methods Conclusion 4 É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 13 / 28

  19. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Suricata 1 Introduction Streaming Performance Suricata and Linux kernel 2 AF_PACKET NFQUEUE Suricata and offloading 3 Interest of offloading Implementation of framework Use it with NFQ Other Methods Conclusion 4 É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 13 / 28

  20. AF_PACKET Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Linux raw socket Raw packet capture method Socket based or mmap based É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 14 / 28

  21. AF_PACKET Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Linux raw socket Raw packet capture method Socket based or mmap based Fanout mode Load balancing over multiple sockets Multiple load balancing functions Flow based CPU based RSS based É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 14 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60 Netfilter 1 Nftables Tables and chains Rules Suricata

1.09k views • 75 slides
Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as a SSL monitor Suricata as a passive DNS probe Suricata as a flow probe Suricata as a malware detector VirtualBox setup File ->

1.16k views • 78 slides
Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many of us need to debug the Linux kernel Proprietary tools like Trace32 and DS-5 are $$$ Open source debuggers like GDB lack kernel

884 views • 40 slides
Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module

Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module

Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module Linux is written in C, but does not include all standard libraries And some other idiosyncrasies This lecture will give you a crash

1.35k views • 22 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for

Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for

Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for Women LinuxCon North America 2013 Agenda Introduction What Got Me Interested in OPW Project Overview Xen Block Ring Protocol

922 views • 13 slides
Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules Kernel module: code that can be dynamically loaded/unloaded into the kernel at runtime Change the kernel code without needing to reboot

545 views • 13 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
. Kernel The Variability Model of the Linux Extra Conclusions Linux Study Introduction .

. Kernel The Variability Model of the Linux Extra Conclusions Linux Study Introduction .

. Krzysztof Czarnecki, Andrzej Wsowski The Variability Model of the Linux Kernel . . January 26, 2010 IT University of Copenhagen University of Leipzig University of Waterloo Steven She, Rafael Lotufo, Thorsten Berger, . Kernel The

928 views • 39 slides
Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 . Leblond (OISF) Suricata and XDP Nov. 29, 2018 1 / 43 Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet

786 views • 59 slides
Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux Kernel Widespread Deployed on: powerful (high performance compute clusters) sensitive (bank, gov. systems, ..) safety critical

995 views • 29 slides
Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

3/1/20 COMP 790: OS Implementation COMP 790: OS Implementation Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

647 views • 8 slides
Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019

Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019

Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019 http://d3s.mff.cuni.cz CHARLES UNIVERSITY IN PRAGUE faculty of mathematjcs and physics faculty of mathematjcs and physics Vlastimil Babka vbabka@suse.cz

1.6k views • 62 slides
Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D.

Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D.

Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D. cl@linux.com Collaboration Summit, Napa Valley, 2014 Non Uniform Memory access in the Linux Kernel Memory is segmented into nodes so that

518 views • 12 slides
Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January The Linux of Things | #LCA2019 | @linuxconfau 2019 Christchurch, NZ Making C Less Dangerous in the Linux Kernel Linux Conf AU January 25,

505 views • 29 slides
Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda mulix@mulix.org IBM Haifa Research Lab Kernel Debugging, Haifux 2003 p.1/19 Kernel Debugging - Why? Why would we want to debug the kernel? after

308 views • 19 slides
An Experimentalists Overview of the role of Electron Correlations in the Thermoelectric

An Experimentalists Overview of the role of Electron Correlations in the Thermoelectric

An Experimentalists Overview of the role of Electron Correlations in the Thermoelectric Performance of Various Materials Brian Sales Correlated Electron Materials Group Oak Ridge National Laboratory Oak Ridge, TN Outline Some

956 views • 53 slides
Outline What is a Constraint ? What is a Global Constraint ? Examples of Global

Outline What is a Constraint ? What is a Global Constraint ? Examples of Global

I nterest of Global Constraints for Modeling and Solving Eric Bourreau, Franois Laburthe BOUYGUES e lab St-Quentin-en-Yvelines - FRANCE { ebourrea;flaburth} @challenger.bouygues.fr 1 Outline What is a Constraint ? What is a

492 views • 8 slides
Deep Learning Applications in Natural Language Processing Jindich Libovick December 5, 2018

Deep Learning Applications in Natural Language Processing Jindich Libovick December 5, 2018

Deep Learning Applications in Natural Language Processing Jindich Libovick December 5, 2018 B4M36NLP Introduction to Natural Language Processing Charles University Faculty of Mathematics and Physics Institute of Formal and Applied

930 views • 42 slides
Advanced Lesson 30 Topic 30: Identifying similarities and differences in text .Reading

Advanced Lesson 30 Topic 30: Identifying similarities and differences in text .Reading

2 nd semester Advanced Lesson 30 Topic 30: Identifying similarities and differences in text .Reading Compare, in relation to reading, refers to the process of identifying the similarities and differences between two things. On the other

351 views • 5 slides
Meta-Interpretive Learning of Logic Programs Stephen Muggleton Department of Computing Imperial

Meta-Interpretive Learning of Logic Programs Stephen Muggleton Department of Computing Imperial

Meta-Interpretive Learning of Logic Programs Stephen Muggleton Department of Computing Imperial College, London Motivation Logic Programming [Kowalski, 1976] Inductive Logic Programming [Muggleton, 1991] Machine Learn arbitrary programs

333 views • 20 slides
Henrique Arajo Imperial College London On behalf of the LUX Collaboration University of

Henrique Arajo Imperial College London On behalf of the LUX Collaboration University of

Henrique Arajo Imperial College London On behalf of the LUX Collaboration University of Birmingham, 14 May 2014 H Arajo OUTLINE Why dark matter(s) Catching WIMPs with the noble liquid xenon Fiat LUX! First results Beyond LUX

601 views • 48 slides
Interdiction Branching Andrea Lodi 1 , Ted Ralphs 2 , Fabrizio Rossi 3 , Stefano Smriglio 3 1 DEIS,

Interdiction Branching Andrea Lodi 1 , Ted Ralphs 2 , Fabrizio Rossi 3 , Stefano Smriglio 3 1 DEIS,

Interdiction Branching Andrea Lodi 1 , Ted Ralphs 2 , Fabrizio Rossi 3 , Stefano Smriglio 3 1 DEIS, University of Bologna 2 COR@L Lab, Department of Industrial and Systems Engineering, Lehigh University 3 Dipartimento di Informatica, University of

574 views • 28 slides
Writing Good Goals and SMART Objectives For Local Public Health Assessment and Planning Public

Writing Good Goals and SMART Objectives For Local Public Health Assessment and Planning Public

1/22/2016 Writing Good Goals and SMART Objectives For Local Public Health Assessment and Planning Public Health Practice Section, Health Partnerships Division Welcome Sarah Small, MPH Principal Planner, Public Health Practice Section, Health

398 views • 15 slides

More recommend