suricata idps and nftables the mixed mode
play

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus - PowerPoint PPT Presentation

Dec 14, 2023 •322 likes •1.09k views

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60 Netfilter 1 Nftables Tables and chains Rules Suricata

  1. Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60

  2. Netfilter 1 Nftables Tables and chains Rules Suricata 2 Intro IDS / IPS Signatures NFQUEUE NFLOG Mixed Mode 3 Introduction Usage Ninja usage Conclusion 4 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60

  3. Netfilter 1 Nftables Tables and chains Rules Suricata 2 Intro IDS / IPS Signatures NFQUEUE NFLOG Mixed Mode 3 Introduction Usage Ninja usage Conclusion 4 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60

  4. Netfilter: Intro Netfilter It’s a framework, developed by Netfilter Organization, inside the Linux kernel that enables packet filtering, network address translation, and other packet mangling. Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 2 / 60

  5. nftables What’s new? New filtering system Replace {ip,ip6,arp,ebt}tables New userspace tools Compatibility layers A new language Based on a grammar Accessible from a library Netlink based communication Atomic modification Notification system Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 3 / 60

  6. nft: userspace tool New features Tables and chains Expressions Rules Sets and maps Dictionaries Contenations Scripting Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 4 / 60

  7. nft: tables Tables Container of chains with no specific semantic No predefined table configuration anymore Need to add a table at least Adding tables nft add table [<family>] <name Examples nft add table ip foo nft add table foo nft add table ip6 bar Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 5 / 60

  8. nft: chains Chains No predefined chains Need to register base chains Adding chains nft add chain [<family>] <table-name> <chain-name> { type <type> hook <hook> priority <value> policy <policy> } Example nft add chain ip foo bar { type filter hook input priority 0 policy drop; } Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 6 / 60

  9. nft: expressions Comparison: eq, neq, gt, gte, lt, lte nft add rule ip foo bar tcp dport != 80 Range nft add rule ip foo bar tcp dport 1-1024 nft add rule ip foo bar meta skuid 1000-1100 Prefixes nft add rule ip foo bar ip daddr 192.168.10.0/24 nft add rule ip foo bar meta mark 0xffffff00/24 Flags nft add rule ip foo bar ct state new, established Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 7 / 60

  10. nft: expressions (2) Bitwise + Comparison nft add rule ip foo bar ct mark and 0xffff == 0x123 Set value nft add rule ip foo bar ct mark set 10 nft add rule ip foo bar ct mark set meta mark Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 8 / 60

  11. nft: rules Counters are optional (unlike iptables) nft add rule ip foo bar counter Several actions in one rule nft add rule ip foo bar ct state invalid log prefix "invalid: " drop Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 9 / 60

  12. nft: sets Sets Built-in generic set infrastructure that allows you to use any supported selector to build sets This infrastructure makes possible the representation of dictionaries and maps The set elements are internally represented using performance data structures such as hashtables and red-black trees Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 10 / 60

  13. nft: set (2) Anonymous set Bound to a rule, if the rule is removed, that set is released too They have no specific name, the kernel internally allocates an identifier They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule The following example shows how to create a simple set nft add rule ip foo bar tcp dport {22, 23} counter This rule catches all traffic going on TCP ports 22 and 23, in case of matching the counters are updated Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 11 / 60

  14. nft: set (3) Named set You can created the named sets with the following command nft add set ip foo whitelist { type ipv4_addr } whitelist is the name of the set in this case type option indicates the data type that this set stores (IPv4 addresses in this case) current maximum name length is 16 characters Fills the set nft add element ip foo whitelist { 192.168.0.1, 192.168.0.10 } You can use it from the rule: nft add rule ip foo bar ip daddr @whitelist counter accept The content of the set can be dynamically updated Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 12 / 60

  15. nft: sets (4) Supported data types ipv4_addr: IPv4 address ipv6_addr: IPv6 address ether_addr: Ethernet address inet_proto: Inet protocol type inet_service: Internet service (tcp port for example) mark: Mark type Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 13 / 60

  16. nft: maps Maps Can be used to look up for data based on some specific key that is used as input Internally use the generic set infrastructure Anonymous maps This example shows how the destination TCP port selects the destination IP address to DNAT the packet nft add rule ip nat prerouting dnat tcp dport map { 80 : 192.168.1.100, 8888 : 192.168.1.101 } This can be read as: if the TCP destination port is 80, then the packet is DNAT’ed to 192.168.1.100 if the TCP destination port is 8888, then the packet is DNAT’ed to 192.168.1.101 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 14 / 60

  17. nft: maps (2) Named map nft add map nat porttoip { type inet_service: ipv4_addr } nft add element nat porttoip { 80 : 192.168.1.100, 8888 : 192.168.1.101 } nft add rule ip nat postrouting snat tcp dport map @porttoip Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 15 / 60

  18. nft: dictionaries Dictionaries Also known as verdict maps, allow you to attach an action to an element Anonymous dictionaries This example shows how to create a tree of chains that whose traversal depends on the layer 4 protocol type: nft add rule ip foo bar ip protocol vmap { tcp : jump tcp-chain, udp : jump udp-chain, icmp : jump icmp-chain } This rule-set arrangement allows you to reduce the amount of linear list inspections to classify your packets Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 16 / 60

  19. nft: dictionaries (2) Named dictionaries nft add map filter mydict { type ipv4_addr : verdict } nft add element filter mydict { 192.168.0.10 : drop, 192.168.0.11 : accept } nft add rule filter input ip saddr vmap @mydict Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 17 / 60

  20. nft: concatenations Contenations Permits put two or more selectors together to perform very fast lookups by combining them with sets, dictionaries and maps. nft add rule ip filter input ip saddr . ip daddr . ip protocol { 1.1.1.1 . 2.2.2.2 . tcp, 1.1.1.1 . 3.3.3.3 . udp } counter accept In this example if the packet matches the source IP address AND destination IP address AND TCP destination port, nftables update the counter for this rule and then accepts the packet Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 18 / 60

  21. nft: scripting Scripting nftables provides a native scripting environment to maintain the ruleset Load the script nft -f ruleset.nft Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 19 / 60

  22. Netfilter 1 Nftables Tables and chains Rules Suricata 2 Intro IDS / IPS Signatures NFQUEUE NFLOG Mixed Mode 3 Introduction Usage Ninja usage Conclusion 4 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 19 / 60

  23. Tables and Chains Tables Each table has a specific purpose and chains There are 5 main built-in tables in iptables It’s not possible to add user-defined tables Chains Each chain has a specific purpose and contains a ruleset that is applied on packets that traverse the chain Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 20 / 60

  24. Tables Filter table Used for filtering packets We can match packets and filter them in whatever way we may want This is the place that we actually take actions against packets ACCEPT DROP LOG REJECT Three built-in chains Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 21 / 60

  25. Tables Filter’s chains INPUT It’s used on all packets that are destined for the firewall FORWARD It’s used on all non-locally generated packets that are not destined for our localhost OUTPUT It’s used for all locally generated packets Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 22 / 60

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as a SSL monitor Suricata as a passive DNS probe Suricata as a flow probe Suricata as a malware detector VirtualBox setup File -&gt;

1.16k views • 78 slides
Suricata IDPS and Linux kernel . Leblond, G. Longo Stamus Networks February 10, 2016 .

Suricata IDPS and Linux kernel . Leblond, G. Longo Stamus Networks February 10, 2016 .

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Suricata IDPS and Linux kernel . Leblond, G. Longo Stamus Networks February 10, 2016 . Leblond, G. Longo (Stamus Networks)

941 views • 46 slides
Assessing and adjusting bias deriving from mode effect in mixed mode social surveys C. De Vitiis,

Assessing and adjusting bias deriving from mode effect in mixed mode social surveys C. De Vitiis,

Assessing and adjusting bias deriving from mode effect in mixed mode social surveys C. De Vitiis, A. Guandalini, F. Inglese and M.D. Terribili (ISTAT, Italian National Statistical Institute) Session 29 29th June 2018 Summary 1. The Mixed

334 views • 20 slides
Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 . Leblond (OISF) Suricata and XDP Nov. 29, 2018 1 / 43 Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet

786 views • 59 slides
BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

Bro Befriends Suricata 23/09/16 20 : 23 BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski @michalpurzynski / Scripts are here - https://github.com/michalpurzynski

894 views • 47 slides
The truck scheduling problem at crossdocking terminals: exclusive versus mixed mode L. Berghman,

The truck scheduling problem at crossdocking terminals: exclusive versus mixed mode L. Berghman,

The truck scheduling problem at crossdocking terminals: exclusive versus mixed mode L. Berghman, C. Briand, R. Leus and P. Lopez ICORES; February 2015 Outline What is cross-docking? Exclusive versus mixed mode Problem statement and

529 views • 20 slides
State-Based Mode Switching with Applications to Mixed-Criticality Systems Pontus Ekberg , Martin

State-Based Mode Switching with Applications to Mixed-Criticality Systems Pontus Ekberg , Martin

State-Based Mode Switching with Applications to Mixed-Criticality Systems Pontus Ekberg , Martin Stigge, Nan Guan &amp; Wang Yi Uppsala University, Sweden WMC 2013 Mixed Criticality as Mode Switching At a switch between modes (e.g., lo to hi),

627 views • 48 slides
truss-like mixed mode cohesive laws is independent 0 0 of the opening path, i.e. when

truss-like mixed mode cohesive laws is independent 0 0 of the opening path, i.e. when

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS WORK OF SEPARATION OF TRUSS-LIKE MIXED MODE COHESIVE LAWS S. Goutianos, B. F. Srensen* Materials Research Division, Ris National Laboratory for Sustainable Energy, Technical University of

231 views • 5 slides
Dayton Peace Agreement Implementation Strategy Context Internally Displaced People (IDPs)

Dayton Peace Agreement Implementation Strategy Context Internally Displaced People (IDPs)

Support to durable solutions of Revised Annex VII Dayton Peace Agreement Implementation Strategy Context Internally Displaced People (IDPs) some 98,000 IDPs in Bosnia and Herzegovina, of whom: some 16,200 IDPs (5,620 households) in Brko

356 views • 20 slides
PROMOTION IN EMERGENCY SITUATION - WITH SPECIAL EMPHASIS ON NWFP IDPs NWFP IDP EMERGENCY

PROMOTION IN EMERGENCY SITUATION - WITH SPECIAL EMPHASIS ON NWFP IDPs NWFP IDP EMERGENCY

SANITATION &amp; HYGIENE PROMOTION IN EMERGENCY SITUATION - WITH SPECIAL EMPHASIS ON NWFP IDPs NWFP IDP EMERGENCY UNICEF IDPs Relief activities in NWFP, 3 Gender wise Distribution Male, Female, 28960, 51% 28168, 49% UNICEF IDPs

704 views • 32 slides
Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Her Special thanks Robert Haist, DCSO Victor Julien, lead developer suricata,

598 views • 29 slides
Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD Post-Doc Researcher, Politecnico di Milano CTO, Secure Network Outline Establishing a need for testing methodologies Testing for

1.13k views • 43 slides
FINAL RESULTS (*) = Indicates multiple counties activated Club/In-State/Mixed Mode (High Power)

FINAL RESULTS (*) = Indicates multiple counties activated Club/In-State/Mixed Mode (High Power)

Call QTH Score QSO Counties States Mults Bonus Name Category NORTH CAROLINA QSO PARTY 2019 FINAL RESULTS (*) = Indicates multiple counties activated Club/In-State/Mixed Mode (High Power) W4NC FOR CLUB-IN-MIXED-HP 106,650 479 27

358 views • 10 slides
Mixed mode in DSTAR Lucian Anton, Ning Li, NAG, UK Kai Luo, University of Southampton, UK Cray

Mixed mode in DSTAR Lucian Anton, Ning Li, NAG, UK Kai Luo, University of Southampton, UK Cray

Mixed mode in DSTAR Lucian Anton, Ning Li, NAG, UK Kai Luo, University of Southampton, UK Cray User Group Fairbanks, May 2011 Experts in numerical algorithms and HPC services Outline Introduction Problem description &amp; algorithm

239 views • 19 slides
PREDICTING LOW VELOCITY IMPACT DAMAGE A MIXED MODE DEGRADATION MODEL F. Ehrich 1 *, L.

PREDICTING LOW VELOCITY IMPACT DAMAGE A MIXED MODE DEGRADATION MODEL F. Ehrich 1 *, L.

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS PREDICTING LOW VELOCITY IMPACT DAMAGE A MIXED MODE DEGRADATION MODEL F. Ehrich 1 *, L. Iannucci 1 , J. Ankersen 1 , M. Fouinneteau 2 1 Department of Aeronautics, Imperial College of Science

415 views • 4 slides
Guaranteeing some service upon mode switch in mixed-criticality systems Zhishan Guo Department

Guaranteeing some service upon mode switch in mixed-criticality systems Zhishan Guo Department

Guaranteeing some service upon mode switch in mixed-criticality systems Zhishan Guo Department of Computer Science, Missouri S&amp;T Presented at Dagstuhl Seminar 17131 Mar. 28, 2017 MC &amp; Vestals Interpretation MC: functionalities

570 views • 15 slides
Pivot Charts By Toma Vajngerl www.collaboraoffjce.co C o l l a b o r a P r o d u

Pivot Charts By Toma Vajngerl www.collaboraoffjce.co C o l l a b o r a P r o d u

C o l l a b o r a P r o d u c t i v i t y Pivot Charts By Toma Vajngerl www.collaboraoffjce.co C o l l a b o r a P r o d u c t i v i t y m Pivot Charts Work sponsored by Nantes New feature added in

293 views • 13 slides
CE Bridge Interoperability (draft-sajassi-l2vpn-vpls-bridge-interop-00.txt) Ali Sajassi L2VPN WG

CE Bridge Interoperability (draft-sajassi-l2vpn-vpls-bridge-interop-00.txt) Ali Sajassi L2VPN WG

CE Bridge Interoperability (draft-sajassi-l2vpn-vpls-bridge-interop-00.txt) Ali Sajassi L2VPN WG November 2004 Cisco Systems 1 Agenda Motivation Behind VPLS L2VPN Framework Model for VPLS PE Discussion of Issues Next Steps 2

404 views • 27 slides
Particle Filters for Numerical Weather Prediction Peter Jan van Leeuwen + PF group (Mel Ades,

Particle Filters for Numerical Weather Prediction Peter Jan van Leeuwen + PF group (Mel Ades,

Particle Filters for Numerical Weather Prediction Peter Jan van Leeuwen + PF group (Mel Ades, Javier Amezcua, Phil Browne, David Livings, Alison Fowler, Matt Lang, Michael Goodliff) Data-Assimilation Research Centre DARC University of

296 views • 14 slides
MAT 137 LEC 0601 Instructor: Alessandro Malus TA: Muhammad Mohid October 1st, 2020 Warm-up

MAT 137 LEC 0601 Instructor: Alessandro Malus TA: Muhammad Mohid October 1st, 2020 Warm-up

MAT 137 LEC 0601 Instructor: Alessandro Malus TA: Muhammad Mohid October 1st, 2020 Warm-up question : Suppose you need to prove that x a f ( x ) = L . lim 1 Write down the formal definition of the statement; 2 Write down what the

561 views • 21 slides
Signal Processing - Introduction Signal Processing Analogue/digital filters: extensively used

Signal Processing - Introduction Signal Processing Analogue/digital filters: extensively used

Instrumentation (and Signal Processing Process Control) Fall 1393 Bonab University Signal Processing - Introduction Signal Processing Analogue/digital filters: extensively used in sensor signal processing Pre-processing

894 views • 32 slides
R 0 R 1 R 2 . . . Non parametric version: empirical null space

R 0 R 1 R 2 . . . Non parametric version: empirical null space

Modal filtering data reduction Introduction and subspace detection Usefulness of global vibration-based SHM methods for handling the temperature effect in SHM Limitations due to temperature effects on the dynamics of civil engineering

286 views • 3 slides
CSSE 120 DAY 1 Introduction to Software Development - Robotics Outline Today:

CSSE 120 DAY 1 Introduction to Software Development - Robotics Outline Today:

As you arrive Start up your computer Bookmark the course web site: www.rose-hulman.edu/class/csse/ csse120/201030robotics/ CSSE 120 DAY 1 Introduction to Software Development - Robotics Outline Today: Introductions: students and

506 views • 25 slides
Understanding the communication changes experienced by adults with cerebral palsy Dr Leigha

Understanding the communication changes experienced by adults with cerebral palsy Dr Leigha

Understanding the communication changes experienced by adults with cerebral palsy Dr Leigha Dark Australian Catholic University ISAAC International Conference Lisbon, Portugal 19 th 26 th July, 2014 1 Context Change involves:

351 views • 24 slides

More recommend