suricata the terminator of ids ips world
play

Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, - PowerPoint PPT Presentation

May 12, 2023 •2.07k likes •2.73k views

Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 1 / 40 Some word about me Eric Leblond French Previously, co-founder and CTO of EdenWall

  1. Suricata, the Terminator of IDS/IPS world Éric Leblond OISF July 9, 2013 Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 1 / 40

  2. Some word about me Eric Leblond French Previously, co-founder and CTO of EdenWall (RIP) Now, Contractor Suricata IDS/IPS developer @Regiteric on Twitter Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 2 / 40

  3. Some word about me Eric Leblond French Previously, co-founder and CTO of EdenWall (RIP) Now, Contractor Suricata IDS/IPS developer @Regiteric on Twitter regit@netfilter.org Netfilter Coreteam Member Working on: some kernel stuff libnetfilter_queue and userspace library ulogd2 maintainer Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 2 / 40

  4. Suricata 1 Ecosystem Goals of the project Features Advanced functionalities IPS 2 IPS basics WTF Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 3 / 40

  5. IDS? IPS? System to uncover malicious/unwanted activity on your network by inspecting the network traffic. IDS (Network) Intrusion Detection System Passive, it only looks and alerts the admin Compare to security camera IPS (Network) Intrusion Prevention System Active, tries to prevent badness from happening Compare to security checkpoint Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 4 / 40

  6. Suricata reconstruction and normalization https://home.regit.org/~regit/decomp-en.svg Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 5 / 40

  7. Similar projects Bro Different technology (capture oriented) Statistical study Scripting Complementary Snort Equivalent Compatible Competing project Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 6 / 40

  8. Suricata vs Snort Suricata Snort Driven by a foundation Developed by Sourcefire Multi-threaded Multi-process Native IPS IPS support Advanced functions SO ruleset (advanced logic (flowint, libHTP , LuaJIT + perf but closed) scripting) No hardware acceleration PF_RING support, CUDA Old code support 10 years of experience Modern and modular code Young but dynamic Independant study: http://www.aldeid.com/index.php/Suricata-vs-snort Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 7 / 40

  9. Suricata with Snort ruleset Not optimised Don’t use any advanced features Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 8 / 40

  10. Suricata with dedicated ruleset Uses Suricata optimised detection Uses Suricata advanced keywords Can get one for free from http://www.emergingthreats.net/ Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 9 / 40

  11. About OISF Open Information Security Foundation http://www.openinfosecfoundation.org Non-profit foundation organized to build a next generation IDS/IPS engine Funded by US Governement (DHS, Navy) Development of an Open Source IDS/IPS: Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 10 / 40

  12. About OISF Open Information Security Foundation http://www.openinfosecfoundation.org Non-profit foundation organized to build a next generation IDS/IPS engine Funded by US Governement (DHS, Navy) Development of an Open Source IDS/IPS: Paying Developers Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 10 / 40

  13. About OISF Open Information Security Foundation http://www.openinfosecfoundation.org Non-profit foundation organized to build a next generation IDS/IPS engine Funded by US Governement (DHS, Navy) Development of an Open Source IDS/IPS: Paying Developers Financial support of related projects (barnyard2) Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 10 / 40

  14. About OISF Open Information Security Foundation http://www.openinfosecfoundation.org Non-profit foundation organized to build a next generation IDS/IPS engine Funded by US Governement (DHS, Navy) Development of an Open Source IDS/IPS: Paying Developers Financial support of related projects (barnyard2) Board which oversees foundation management Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 10 / 40

  15. About OISF Open Information Security Foundation http://www.openinfosecfoundation.org Non-profit foundation organized to build a next generation IDS/IPS engine Funded by US Governement (DHS, Navy) Development of an Open Source IDS/IPS: Paying Developers Financial support of related projects (barnyard2) Board which oversees foundation management Roadmap is defined in public brainstorm sessions Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 10 / 40

  16. About OISF Consortium members HOST program: Homeland Open Security Technology Platinium level: BAE Systems, nPulse Gold level: Tilera, Endace, Emerging Threats Bronze level: SRC, Everis, NitroSecurity, Myricom, Emulex Technology partner: Napatech, Nvidia Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 11 / 40

  17. About OISF Consortium members HOST program: Homeland Open Security Technology Platinium level: BAE Systems, nPulse Gold level: Tilera, Endace, Emerging Threats Bronze level: SRC, Everis, NitroSecurity, Myricom, Emulex Technology partner: Napatech, Nvidia Developers Lead: Victor Julien Core Developers: Anoop Saldanha, Eric Leblond Developers: serveral from consortium members, community. Suricata has been created by about 35 developers so far. Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 11 / 40

  18. About OISF Consortium members HOST program: Homeland Open Security Technology Platinium level: BAE Systems, nPulse Gold level: Tilera, Endace, Emerging Threats Bronze level: SRC, Everis, NitroSecurity, Myricom, Emulex Technology partner: Napatech, Nvidia Developers Lead: Victor Julien Core Developers: Anoop Saldanha, Eric Leblond Developers: serveral from consortium members, community. Suricata has been created by about 35 developers so far. Board Project leader: Matt Jonkman Richard Bejtlich, Dr. Jose Nazario, Joel Ebrahimi, Marc Norton, Stuart Wilson Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 11 / 40

  19. Goals Bring new technologies to IDS Performance: Multi-Threading, Hardware acceleration Open source: community driven (GPLv2) Support of Linux / *BSD / Mac OSX / Windows Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 12 / 40

  20. Features IPv6 native support Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 13 / 40

  21. Features IPv6 native support Multi-threaded Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 13 / 40

  22. Features IPv6 native support Multi-threaded Native hardware acceleration (PF_RING, Napatech, Endace, Myricom) Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 13 / 40

  23. Features IPv6 native support Multi-threaded Native hardware acceleration (PF_RING, Napatech, Endace, Myricom) Numerous options for performance optimisation Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 13 / 40

  24. Features IPv6 native support Multi-threaded Native hardware acceleration (PF_RING, Napatech, Endace, Myricom) Numerous options for performance optimisation Optimized support of IP only tests Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 13 / 40

  25. Features IPv6 native support Multi-threaded Native hardware acceleration (PF_RING, Napatech, Endace, Myricom) Numerous options for performance optimisation Optimized support of IP only tests IPS is native (inline mode) Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 13 / 40

  26. Features IPv6 native support Multi-threaded Native hardware acceleration (PF_RING, Napatech, Endace, Myricom) Numerous options for performance optimisation Optimized support of IP only tests IPS is native (inline mode) Protocol detection Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 13 / 40

  27. Features IPv6 native support Multi-threaded Native hardware acceleration (PF_RING, Napatech, Endace, Myricom) Numerous options for performance optimisation Optimized support of IP only tests IPS is native (inline mode) Protocol detection Advanced HTTP and TLS support Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 13 / 40

  28. Features IPv6 native support Multi-threaded Native hardware acceleration (PF_RING, Napatech, Endace, Myricom) Numerous options for performance optimisation Optimized support of IP only tests IPS is native (inline mode) Protocol detection Advanced HTTP and TLS support File extraction Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 13 / 40

  29. Features IPv6 native support Multi-threaded Native hardware acceleration (PF_RING, Napatech, Endace, Myricom) Numerous options for performance optimisation Optimized support of IP only tests IPS is native (inline mode) Protocol detection Advanced HTTP and TLS support File extraction LuaJIT scripting (experimental) Éric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 13 / 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as a SSL monitor Suricata as a passive DNS probe Suricata as a flow probe Suricata as a malware detector VirtualBox setup File ->

1.16k views • 78 slides
Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 . Leblond (OISF) Suricata and XDP Nov. 29, 2018 1 / 43 Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet

786 views • 59 slides
BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

Bro Befriends Suricata 23/09/16 20 : 23 BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski @michalpurzynski / Scripts are here - https://github.com/michalpurzynski

894 views • 47 slides
APACHE MAVEN Robert Scholte ( @rfscholte ) Developer vs. Maven? Feels like Terminator 1

APACHE MAVEN Robert Scholte ( @rfscholte ) Developer vs. Maven? Feels like Terminator 1

WHEN FIGHTING APACHE MAVEN Robert Scholte ( @rfscholte ) Developer vs. Maven? Feels like Terminator 1 Should be Terminator 2 Developer with Maven! Feels like Terminator 1 Should be Terminator 2 Reason for a fight? #fail Setup (no

1.12k views • 55 slides
Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Her Special thanks Robert Haist, DCSO Victor Julien, lead developer suricata,

598 views • 29 slides
Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 1 / 43 Eric Leblond a.k.a Regit French Network security expert Free Software

667 views • 47 slides
Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 1 / 52 Eric Leblond a.k.a Regit French Network security expert Free

536 views • 42 slides
Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien

Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien

Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien @inliniac http://www.inliniac.net/ Content of this talk Introduction to Suricata, OISF Eric Leblond will speak about recent

580 views • 47 slides
Transcription Terminator Efficiency Calculator (TTEC) SUSTC-Shenzhen-B Outline 1 Background

Transcription Terminator Efficiency Calculator (TTEC) SUSTC-Shenzhen-B Outline 1 Background

Transcription Terminator Efficiency Calculator (TTEC) SUSTC-Shenzhen-B Outline 1 Background & Motivation 2 Terminator Efficiency Calculator Algorithm Database Experiment 3 Human Practice Background & Motivation RBS CDS

486 views • 29 slides
Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60 Netfilter 1 Nftables Tables and chains Rules Suricata

1.09k views • 75 slides
B. hercules The Terminator of Colon Cancer Background & Motive Cancer Therapy &

B. hercules The Terminator of Colon Cancer Background & Motive Cancer Therapy &

2012 HKUST iGEM Team B. hercules The Terminator of Colon Cancer Background & Motive Cancer Therapy & Synthetic Biology Our project Cancer Background & Motive Colon Carcinomas A Suitable Target Represent

923 views • 50 slides
Presents Presents Presents Presents Presents Background History/Future History of the

Presents Presents Presents Presents Presents Background History/Future History of the

Presents Presents Presents Presents Presents Background History/Future History of the TERMinator Concept, ROI. Development Cycle. Business Units involved. Future of the TERMinator. International deployment?

857 views • 16 slides
Learn These Symbols Terminator Date Entry Display Connector Document Computer Input/

Learn These Symbols Terminator Date Entry Display Connector Document Computer Input/

Learn These Symbols Terminator Date Entry Display Connector Document Computer Input/ Process Output Off-Page Connector Journal Manual Process On-line File Data Flow File Disk Decision File Dr. Peter R Gillett October 26, 2000

321 views • 6 slides
THE TERMINATOR (MANAGING NON-PERFORMANCE IN CONTRACTS) BUSINESS BREAKFAST CLUB MARK LOVE 8

THE TERMINATOR (MANAGING NON-PERFORMANCE IN CONTRACTS) BUSINESS BREAKFAST CLUB MARK LOVE 8

THE TERMINATOR (MANAGING NON-PERFORMANCE IN CONTRACTS) BUSINESS BREAKFAST CLUB MARK LOVE 8 JUNE 2018 CONTRACT MANAGEMENT The In Information Pathway Performance indicators Lead indicators CONTRACT MANAGEMENT The Character of

301 views • 12 slides
Suricata IDPS and Linux kernel . Leblond, G. Longo Stamus Networks February 10, 2016 .

Suricata IDPS and Linux kernel . Leblond, G. Longo Stamus Networks February 10, 2016 .

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Suricata IDPS and Linux kernel . Leblond, G. Longo Stamus Networks February 10, 2016 . Leblond, G. Longo (Stamus Networks)

941 views • 46 slides
The Alligator meets the Terminator: Caiman, AI, and the other 998 ways of installing OpenSolaris

The Alligator meets the Terminator: Caiman, AI, and the other 998 ways of installing OpenSolaris

OSDevCon 2009: Caiman and AI Welcome The Alligator meets the Terminator: Caiman, AI, and the other 998 ways of installing OpenSolaris Volker A. Brandt Brandt & Brandt Computer GmbH vab@bb-c.de Volker A. Brandt, Brandt & Brandt

535 views • 49 slides
DarkNOC Dashboard for Honeypot Management Bertrand Sobesto(1),

DarkNOC Dashboard for Honeypot Management Bertrand Sobesto(1),

DarkNOC Dashboard for Honeypot Management Bertrand Sobesto(1), Michel Cukier(1), Ma9 Hiltunen(2), David Kormann(2), Gregory Vesonder(2), Robin Berthier(3) (1)

437 views • 22 slides
Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What

Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What

Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What do we Track and Why? + Overview of Information Stealing Trojans How/What they steal Phoning Home Popular Kits + Detecting C&C

378 views • 25 slides
Automated Translation Automated Translation Between Attack Languages Between Attack Languages

Automated Translation Automated Translation Between Attack Languages Between Attack Languages

Automated Translation Automated Translation Between Attack Languages Between Attack Languages (Translating Snort rules to STATL scenarios) (Translating Snort rules to STATL scenarios) Steven T. Eckmann Eckmann Steven T. Reliable Software

296 views • 27 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 7 Intrusion Detection Topics Fundamentals Network IDS Snort Host-based IDS

1.03k views • 72 slides
SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang , Shitong Zhu, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth Krishnamurthy, Kevin Chan, and Tracy Braun What is DPI (Deep Packet Inspection)?

205 views • 19 slides
Cyber@UC; Meeting 28 Cyber Kill Chain If Youre New! Join our Slack ucyber.slack.com

Cyber@UC; Meeting 28 Cyber Kill Chain If Youre New! Join our Slack ucyber.slack.com

Cyber@UC; Meeting 28 Cyber Kill Chain If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter @UCyb3r and Facebook UC.yber; University of Cincinnati OWASP Chapter Feel free to get involved with one of our committees:

430 views • 23 slides
Net work Management Tasks Prot ect ing t he net work (e.g. int rusion 17: det ect ion) Net

Net work Management Tasks Prot ect ing t he net work (e.g. int rusion 17: det ect ion) Net

Net work Management Tasks Prot ect ing t he net work (e.g. int rusion 17: det ect ion) Net work Management and Det ect ing f ailed component s (int erf aces, links, host s, rout ers) Monit oring Monit oring t raf f ic pat t erns

219 views • 8 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides

More recommend