Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf ·...
Transcript of Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf ·...
![Page 1: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/1.jpg)
Latest advance in Suricata IDP S
Éric Leblond
OISF
July 9th 2012
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 1 / 44
![Page 2: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/2.jpg)
1 IntroductionIntroductionGoals of the projectEcosystem
2 FunctionnalitiesList of functionnalitiesSignatures
3 Advanced functionalities of SuricatalibHTPFlow variables
4 Suricata 1.3Extraction et inspection of filesTLS Handshake parser
5 The futureThe roadmapMore information
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 2 / 44
![Page 3: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/3.jpg)
Suricata ?
(C) Jean-Marie Hullot, CC BY 3.0
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 3 / 44
![Page 4: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/4.jpg)
Suricata ?
(C) Jean-Marie Hullot, CC BY 3.0
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 3 / 44
![Page 5: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/5.jpg)
Introduction
Éric LeblondInitial and lead developer of NuFWNetfilter Contributor (mainly ulogd2 and userpace interaction)Suricata core developer (IPS, multicore optimisation, . . . )Independant Open Source et security consultant. . .
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 4 / 44
![Page 6: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/6.jpg)
About OISF
Open Information Security Foundationhttp://www.openinfosecfoundation.org
Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:
Developers financementFinancial support of related projects (barnyard2)Board who defines big orientationRoadmap is defined in public reunion
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 5 / 44
![Page 7: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/7.jpg)
About OISF
Open Information Security Foundationhttp://www.openinfosecfoundation.org
Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:
Developers financement
Financial support of related projects (barnyard2)Board who defines big orientationRoadmap is defined in public reunion
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 5 / 44
![Page 8: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/8.jpg)
About OISF
Open Information Security Foundationhttp://www.openinfosecfoundation.org
Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:
Developers financementFinancial support of related projects (barnyard2)
Board who defines big orientationRoadmap is defined in public reunion
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 5 / 44
![Page 9: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/9.jpg)
About OISF
Open Information Security Foundationhttp://www.openinfosecfoundation.org
Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:
Developers financementFinancial support of related projects (barnyard2)Board who defines big orientation
Roadmap is defined in public reunion
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 5 / 44
![Page 10: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/10.jpg)
About OISF
Open Information Security Foundationhttp://www.openinfosecfoundation.org
Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:
Developers financementFinancial support of related projects (barnyard2)Board who defines big orientationRoadmap is defined in public reunion
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 5 / 44
![Page 11: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/11.jpg)
About OISF
Consortium membersHOST program: Homeland Open Security TechnologyPlatinium level: BAE systemsGold level: Npulse, Endace, Emerging ThreatsBronze level: SRC, Everis, Bivio networks, Nitro Security, Marasystems, . . .
Technology partner: Napatech, NvidiaDevelopers
Leader : Victor Julien
Developers: Anoop Saldanha, Gurvinder Singh, Pablo Rincon,William Metcalf, Eric Leblond, . . .
BoardMatt JonkmannRichard Bejtlich, Dr. Jose Nazario, Joel Ebrahimi, Marc Norton,Stuart Wilson. . .
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 6 / 44
![Page 12: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/12.jpg)
About OISF
Consortium membersHOST program: Homeland Open Security TechnologyPlatinium level: BAE systemsGold level: Npulse, Endace, Emerging ThreatsBronze level: SRC, Everis, Bivio networks, Nitro Security, Marasystems, . . .Technology partner: Napatech, Nvidia
DevelopersLeader : Victor Julien
Developers: Anoop Saldanha, Gurvinder Singh, Pablo Rincon,William Metcalf, Eric Leblond, . . .
BoardMatt JonkmannRichard Bejtlich, Dr. Jose Nazario, Joel Ebrahimi, Marc Norton,Stuart Wilson. . .
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 6 / 44
![Page 13: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/13.jpg)
About OISF
Consortium membersHOST program: Homeland Open Security TechnologyPlatinium level: BAE systemsGold level: Npulse, Endace, Emerging ThreatsBronze level: SRC, Everis, Bivio networks, Nitro Security, Marasystems, . . .Technology partner: Napatech, Nvidia
DevelopersLeader : Victor Julien
Developers: Anoop Saldanha, Gurvinder Singh, Pablo Rincon,William Metcalf, Eric Leblond, . . .
BoardMatt JonkmannRichard Bejtlich, Dr. Jose Nazario, Joel Ebrahimi, Marc Norton,Stuart Wilson. . .
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 6 / 44
![Page 14: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/14.jpg)
About OISF
Consortium membersHOST program: Homeland Open Security TechnologyPlatinium level: BAE systemsGold level: Npulse, Endace, Emerging ThreatsBronze level: SRC, Everis, Bivio networks, Nitro Security, Marasystems, . . .Technology partner: Napatech, Nvidia
DevelopersLeader : Victor JulienDevelopers: Anoop Saldanha, Gurvinder Singh, Pablo Rincon,William Metcalf, Eric Leblond, . . .
BoardMatt JonkmannRichard Bejtlich, Dr. Jose Nazario, Joel Ebrahimi, Marc Norton,Stuart Wilson. . .
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 6 / 44
![Page 15: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/15.jpg)
About OISF
Consortium membersHOST program: Homeland Open Security TechnologyPlatinium level: BAE systemsGold level: Npulse, Endace, Emerging ThreatsBronze level: SRC, Everis, Bivio networks, Nitro Security, Marasystems, . . .Technology partner: Napatech, Nvidia
DevelopersLeader : Victor JulienDevelopers: Anoop Saldanha, Gurvinder Singh, Pablo Rincon,William Metcalf, Eric Leblond, . . .
BoardMatt JonkmannRichard Bejtlich, Dr. Jose Nazario, Joel Ebrahimi, Marc Norton,Stuart Wilson. . .
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 6 / 44
![Page 16: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/16.jpg)
Goals
Bring new technologies to IDSPerformance
Multi-threadsHardware accelerationhttp://packetchaser.org/index.php/opensource/suricata-10gbps
Open sourceSupport of Linux / *BSD / Mac OSX / Windows
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 7 / 44
![Page 17: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/17.jpg)
Similar projects
BroDifferent technology (capture oriented)Statistical study
SnortEquivalentCompatibleFrontal concurrenceSourcefire has felt endangered and has been aggressivehttp://www.informationweek.com/news/software/enterprise_apps/226400079
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 8 / 44
![Page 18: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/18.jpg)
Suricata vs Snort
SuricataDrived by a foundationMulti-threadedNative IPSAdvanced functions(flowint, libHTP)PF_RING support, CUDAsupportModern and modular codeYoung but dynamic
SnortDeveloped by SourcefireMulti-processIPS supportSO ruleset (advanced logic+ perf but closed)No hardware accelerationOld code10 years of experience
Independant study:http://www.aldeid.com/index.php/Suricata-vs-snort
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 9 / 44
![Page 19: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/19.jpg)
Suricata with snort ruleset
Not optimisedDon’t use any advanced feature
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 10 / 44
![Page 20: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/20.jpg)
Suricata with dedicated ruleset
Use Suricata optimised matchsUse Suricata advanced keywordsCan get one from http://www.emergingthreats.net/
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 11 / 44
![Page 21: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/21.jpg)
1 IntroductionIntroductionGoals of the projectEcosystem
2 FunctionnalitiesList of functionnalitiesSignatures
3 Advanced functionalities of SuricatalibHTPFlow variables
4 Suricata 1.3Extraction et inspection of filesTLS Handshake parser
5 The futureThe roadmapMore information
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 12 / 44
![Page 22: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/22.jpg)
Fonctionnalities
Ipv6 native support
Multi-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detection
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 13 / 44
![Page 23: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/23.jpg)
Fonctionnalities
Ipv6 native supportMulti-threaded
Native hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detection
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 13 / 44
![Page 24: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/24.jpg)
Fonctionnalities
Ipv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)
Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detection
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 13 / 44
![Page 25: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/25.jpg)
Fonctionnalities
Ipv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisation
Optimized support of IP only testsIPS is native (inline mode)Protocol detection
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 13 / 44
![Page 26: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/26.jpg)
Fonctionnalities
Ipv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only tests
IPS is native (inline mode)Protocol detection
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 13 / 44
![Page 27: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/27.jpg)
Fonctionnalities
Ipv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)
Protocol detection
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 13 / 44
![Page 28: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/28.jpg)
Fonctionnalities
Ipv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detection
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 13 / 44
![Page 29: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/29.jpg)
Global architecture
Chained treatment modulesEach running mode can have its own architecture
Architecture of mode "pcap auto v1":
Fine setting of CPU preferencesAttach a thread to a CPUAttach a threads family to a CPU setAllow IRQs based optimisation
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 14 / 44
![Page 30: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/30.jpg)
Global architecture
Chained treatment modulesEach running mode can have its own architectureArchitecture of mode "pcap auto v1":
Fine setting of CPU preferencesAttach a thread to a CPUAttach a threads family to a CPU setAllow IRQs based optimisation
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 14 / 44
![Page 31: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/31.jpg)
Global architecture
Chained treatment modulesEach running mode can have its own architectureArchitecture of mode "pcap auto v1":
Fine setting of CPU preferencesAttach a thread to a CPUAttach a threads family to a CPU setAllow IRQs based optimisation
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 14 / 44
![Page 32: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/32.jpg)
Entry modules
IDSPCAP
live, multi interfaceoffline support
AF_PACKETPF_RING: mutltithreadhttp://www.ntop.org/PF_RING.html
Capture card support: Napatech, Myricom, Endace
IPSNFQueue:
Linux: multi-queue, advanced supportWindows
ipfw :FreeBSDNetBSD
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 15 / 44
![Page 33: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/33.jpg)
Entry modules
IDSPCAP
live, multi interfaceoffline support
AF_PACKETPF_RING: mutltithreadhttp://www.ntop.org/PF_RING.html
Capture card support: Napatech, Myricom, Endace
IPSNFQueue:
Linux: multi-queue, advanced supportWindows
ipfw :FreeBSDNetBSD
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 15 / 44
![Page 34: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/34.jpg)
Output modules
FastlogUnified log (Barnyard 1 & 2)HTTP log (log in apache-style format)Prelude (IDMEF)
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 16 / 44
![Page 35: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/35.jpg)
Suricata Ecosystem
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 17 / 44
![Page 36: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/36.jpg)
Signatures
Support almost all snort ruleset featuresExclusive features used by VRT ou Emerging Threats rulesets
alert tcp any any -> 192.168.1.0/24 21 (content: "USER root"; msg: "FTP root login";)
Action: alert / drop / pass IP parameters Motif Other parameters
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 18 / 44
![Page 37: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/37.jpg)
Signatures
Support almost all snort ruleset featuresExclusive features used by VRT ou Emerging Threats rulesets
alert tcp any any -> 192.168.1.0/24 21 (content: "USER root"; msg: "FTP root login";)
Action: alert / drop / pass
IP parameters Motif Other parameters
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 18 / 44
![Page 38: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/38.jpg)
Signatures
Support almost all snort ruleset featuresExclusive features used by VRT ou Emerging Threats rulesets
alert tcp any any -> 192.168.1.0/24 21 (content: "USER root"; msg: "FTP root login";)
Action: alert / drop / pass
IP parameters
Motif Other parameters
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 18 / 44
![Page 39: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/39.jpg)
Signatures
Support almost all snort ruleset featuresExclusive features used by VRT ou Emerging Threats rulesets
alert tcp any any -> 192.168.1.0/24 21 (content: "USER root"; msg: "FTP root login";)
Action: alert / drop / pass IP parameters
Motif
Other parameters
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 18 / 44
![Page 40: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/40.jpg)
Signatures
Support almost all snort ruleset featuresExclusive features used by VRT ou Emerging Threats rulesets
alert tcp any any -> 192.168.1.0/24 21 (content: "USER root"; msg: "FTP root login";)
Action: alert / drop / pass IP parameters Motif
Other parameters
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 18 / 44
![Page 41: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/41.jpg)
1 IntroductionIntroductionGoals of the projectEcosystem
2 FunctionnalitiesList of functionnalitiesSignatures
3 Advanced functionalities of SuricatalibHTPFlow variables
4 Suricata 1.3Extraction et inspection of filesTLS Handshake parser
5 The futureThe roadmapMore information
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 19 / 44
![Page 42: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/42.jpg)
libHTP
Security oriented HTTP parserWritten by Ivan Ristic (ModSecurity, IronBee)Flow trackingSupport of keywords
http_bodyhttp_raw_urihttp_headerhttp_cookie. . .
Able to decode gzip compressed flows
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 20 / 44
![Page 43: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/43.jpg)
Using HTTP features in signature
Signature example: Chat facebook
a l e r t h t t p $HOME_NET any −> $EXTERNAL_NET $HTTP_PORTS \(msg : "ET CHAT Facebook Chat ( send message ) " ; \flow : es tab l ished , to_server ; content : "POST" ; http_method ; \content : " / a jax / chat / send . php " ; h t t p _ u r i ; content : " facebook . com" ; ht tp_header ; \classtype : po l i cy−v i o l a t i o n ; reference : u r l , doc . emerg ingthreats . net /2010784; \reference : u r l ,www. emerg ingthreats . net / cgi−bin / cvsweb . cg i / s igs / POLICY / POLICY_Facebook_Chat ; \sid :2010784; rev : 4 ; \
)
This signature tests:The HTTP method: POSTThe page: /ajax/chat/send.phpThe domain: facebook.com
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 21 / 44
![Page 44: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/44.jpg)
Flow variables
ObjectivesDetection of in-multiple-step attackVerify condition on a flowModify alert treatmentState machine inside each flow
Flowbitsboolean conditionSet a flag
FlowintDefine counterArithmetic operation
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 22 / 44
![Page 45: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/45.jpg)
Flow variables
ObjectivesDetection of in-multiple-step attackVerify condition on a flowModify alert treatmentState machine inside each flow
Flowbitsboolean conditionSet a flag
FlowintDefine counterArithmetic operation
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 22 / 44
![Page 46: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/46.jpg)
Flow variables
ObjectivesDetection of in-multiple-step attackVerify condition on a flowModify alert treatmentState machine inside each flow
Flowbitsboolean conditionSet a flag
FlowintDefine counterArithmetic operation
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 22 / 44
![Page 47: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/47.jpg)
1 IntroductionIntroductionGoals of the projectEcosystem
2 FunctionnalitiesList of functionnalitiesSignatures
3 Advanced functionalities of SuricatalibHTPFlow variables
4 Suricata 1.3Extraction et inspection of filesTLS Handshake parser
5 The futureThe roadmapMore information
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 23 / 44
![Page 48: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/48.jpg)
Suricata 1.3
New hardware support: Myricom, Endace, NapatechTLS/SSL handshake parserBetter performancesOn the fly MD5 calculation and matching for files in HTTP streamsScripts for looking up files/file md5s at Virus Total and others(contributed by Martin Holste)http_user_agent keyword for matching on the HTTP User-Agentheader
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 24 / 44
![Page 49: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/49.jpg)
More scability
Flow engine: removal of a contention point and better hashfunction.Thresholding and Tag engines: fine locking instead of global one.
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 25 / 44
![Page 50: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/50.jpg)
In the engine
Less memoryNew ac-bs algorithmFrom 35G with ac-full to less than 4G for ac-bsHandling 1Gb/s with 7000 rules
Rule engine improvementReload ruleset without breaking the flow analysisRule analyser
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 26 / 44
![Page 51: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/51.jpg)
Extraction et inspection of files
Get files from HTTP downloads and uploadsDetect information about the file using libmagic
Type of fileOther details. . .
A dedicated extension of signature language
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 27 / 44
![Page 52: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/52.jpg)
Dedicated keywords
filemagic : description of content
a l e r t h t t p any any −> any any (msg : " windows exec " ; \f i l e m a g i c : " executable f o r MS Windows " ; sid : 1 ; rev : 1 ; )
filestore : store file for inspection
a l e r t h t t p any any −> any any (msg : " windows exec " ;f i l e m a g i c : " executable f o r MS Windows " ; \f i l e s t o r e ; sid : 1 ; rev : 1 ; )
fileext : file extension
a l e r t h t t p any any −> any any (msg : " jpg claimed , but not jpg f i l e " ; \f i l e e x t : " jpg " ; \f i l e m a g i c : ! "JPEG image data " ; sid : 1 ; rev : 1 ; )
filename : file name
a l e r t h t t p any any −> any any (msg : " s e n s i t i v e f i l e leak " ;f i lename : " sec re t " ; sid : 1 ; rev : 1 ; )
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 28 / 44
![Page 53: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/53.jpg)
Examples
Files sending on a server only accepting PDF
a l e r t h t t p $EXTERNAL_NET −> $WEBSERVER any (msg : " susp ic ious upload " ; \flow : es tab l ished , to_server ; content : "POST" http_method ; \content : " / upload . php " ; h t t p _ u r i ; \f i l e m a g i c : ! "PDF document " ; \f i l e s t o r e ; sid : 1 ; rev : 1 ; )
Private keys in the wild
a l e r t h t t p $HOME_NET any −> $EXTERNAL_NET any (msg : " outgoing p r i v a t e key " ; \f i l e m a g i c : "RSA p r i v a t e key " ; sid : 1 ; rev : 1 ; )
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 29 / 44
![Page 54: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/54.jpg)
Disk storage
Every file is stored on diskwith a metadata file
Disk usage limit can be setScripts for looking up files / file md5’s at Virus Total and others
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 30 / 44
![Page 55: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/55.jpg)
Actual limit of files extraction
Limited to the HTTP protocolStorage limit are suboptimalMS Office files are not decoded
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 31 / 44
![Page 56: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/56.jpg)
TLS Handshake parser
TLS is an application in Suricata wayAutomatic detection of protocol
Independent of portMade by pattern matching
Dedicated keywordsUsable in the signatures
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 32 / 44
![Page 57: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/57.jpg)
Other supported applications
HTTP :keywords: http_uri, http_body, http_user_agent, . . .
SMTPFTP
keyword: ftpbounceSSH
keywords: ssh.softwareversion, ssh.protoversion
DCERPCSMB
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 33 / 44
![Page 58: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/58.jpg)
A TLS handshake parser
No traffic decryptionMethod
Analyse of TLS handshakeParsing of TLS messages
A security-oriented parserCoded from scratch
Provide a hackable code-base for the featureNo external dependency
Contributed by Pierre Chifflier (ANSSI)With security in mind:
Resistance to attacks (audit, fuzzing)Anomaly detection
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 34 / 44
![Page 59: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/59.jpg)
A handshake parser
The syntax
a l e r t tcp $HOME_NET any −> $EXTERNAL_NET 443
becomes
a l e r t t l s $HOME_NET any −> $EXTERNAL_NET any
Interest:No dependency to IP paramsPattern matching is limited to identified protocol
Less false positiveMore performance
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 35 / 44
![Page 60: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/60.jpg)
TLS keywords
TLS.version: Match protocol version numberTLS.subject: Match certificate subjectTLS.issuerdn: Match the name of the CA which has signed thekeyMore to come
TLS.fingerprint: Match the fingerprint of the certificate
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 36 / 44
![Page 61: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/61.jpg)
TLS keywords
TLS.version: Match protocol version numberTLS.subject: Match certificate subjectTLS.issuerdn: Match the name of the CA which has signed thekeyMore to comeTLS.fingerprint: Match the fingerprint of the certificate
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 36 / 44
![Page 62: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/62.jpg)
Example: verify security policy (1/2)
Environnement:A company with serversWith an official PKI
The goal:Verify that the PKI isused
Without working toomuch
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 37 / 44
![Page 63: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/63.jpg)
Example: verify security policy (1/2)
Environnement:A company with serversWith an official PKI
The goal:Verify that the PKI isused
Without working toomuch
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 37 / 44
![Page 64: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/64.jpg)
Example: verify security policy (1/2)
Environnement:A company with serversWith an official PKI
The goal:Verify that the PKI isusedWithout working toomuch
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 37 / 44
![Page 65: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/65.jpg)
Example: verify security policy (2/2)
Let’s check that the certificates used when a client negotiate aconnection to one of our servers are the good one
The signature:
a l e r t t l s any any −> $SERVERS any ( t l s . issuerdn : ! "C=NL, O=Staat der Nederlanden , \CN=Staat der Nederlanden Root CA" ; )
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 38 / 44
![Page 66: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/66.jpg)
Example: verify security policy (2/2)
Let’s check that the certificates used when a client negotiate aconnection to one of our servers are the good oneThe signature:
a l e r t t l s any any −> $SERVERS any ( t l s . issuerdn : ! "C=NL, O=Staat der Nederlanden , \CN=Staat der Nederlanden Root CA" ; )
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 38 / 44
![Page 67: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/67.jpg)
Example: detect certificate anomaly
Google.com is signed byGoogle Internet Authority
Not by an other CA
(Diginotar by example)
If it is the case, this is bad!Let’s block that!
Signature:drop t l s $CLIENT any −> any any ( \
t l s . sub jec t= "C=US, ST= C a l i f o r n i a , L=Mountain View , O=Google Inc , CN=∗. google . com" ; \t l s . issuerdn =! "C=US, O=Google Inc , CN=Google I n t e r n e t A u t h o r i t y " ; )
What! KPN has been hacked too!Let’s get rid of the Dutch!drop t l s $CLIENT any −> any any ( t l s . issuerdn="C=NL" ) ;
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 39 / 44
![Page 68: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/68.jpg)
Example: detect certificate anomaly
Google.com is signed byGoogle Internet AuthorityNot by an other CA
(Diginotar by example)If it is the case, this is bad!Let’s block that!
Signature:drop t l s $CLIENT any −> any any ( \
t l s . sub jec t= "C=US, ST= C a l i f o r n i a , L=Mountain View , O=Google Inc , CN=∗. google . com" ; \t l s . issuerdn =! "C=US, O=Google Inc , CN=Google I n t e r n e t A u t h o r i t y " ; )
What! KPN has been hacked too!Let’s get rid of the Dutch!drop t l s $CLIENT any −> any any ( t l s . issuerdn="C=NL" ) ;
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 39 / 44
![Page 69: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/69.jpg)
Example: detect certificate anomaly
Google.com is signed byGoogle Internet AuthorityNot by an other CA(Diginotar by example)
If it is the case, this is bad!Let’s block that!
Signature:drop t l s $CLIENT any −> any any ( \
t l s . sub jec t= "C=US, ST= C a l i f o r n i a , L=Mountain View , O=Google Inc , CN=∗. google . com" ; \t l s . issuerdn =! "C=US, O=Google Inc , CN=Google I n t e r n e t A u t h o r i t y " ; )
What! KPN has been hacked too!Let’s get rid of the Dutch!drop t l s $CLIENT any −> any any ( t l s . issuerdn="C=NL" ) ;
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 39 / 44
![Page 70: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/70.jpg)
Example: detect certificate anomaly
Google.com is signed byGoogle Internet AuthorityNot by an other CA(Diginotar by example)If it is the case, this is bad!
Let’s block that!
Signature:drop t l s $CLIENT any −> any any ( \
t l s . sub jec t= "C=US, ST= C a l i f o r n i a , L=Mountain View , O=Google Inc , CN=∗. google . com" ; \t l s . issuerdn =! "C=US, O=Google Inc , CN=Google I n t e r n e t A u t h o r i t y " ; )
What! KPN has been hacked too!Let’s get rid of the Dutch!drop t l s $CLIENT any −> any any ( t l s . issuerdn="C=NL" ) ;
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 39 / 44
![Page 71: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/71.jpg)
Example: detect certificate anomaly
Google.com is signed byGoogle Internet AuthorityNot by an other CA(Diginotar by example)If it is the case, this is bad!Let’s block that!
Signature:drop t l s $CLIENT any −> any any ( \
t l s . sub jec t= "C=US, ST= C a l i f o r n i a , L=Mountain View , O=Google Inc , CN=∗. google . com" ; \t l s . issuerdn =! "C=US, O=Google Inc , CN=Google I n t e r n e t A u t h o r i t y " ; )
What! KPN has been hacked too!Let’s get rid of the Dutch!drop t l s $CLIENT any −> any any ( t l s . issuerdn="C=NL" ) ;
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 39 / 44
![Page 72: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/72.jpg)
Example: detect certificate anomaly
Google.com is signed byGoogle Internet AuthorityNot by an other CA(Diginotar by example)If it is the case, this is bad!Let’s block that!
Signature:drop t l s $CLIENT any −> any any ( \
t l s . sub jec t= "C=US, ST= C a l i f o r n i a , L=Mountain View , O=Google Inc , CN=∗. google . com" ; \t l s . issuerdn =! "C=US, O=Google Inc , CN=Google I n t e r n e t A u t h o r i t y " ; )
What! KPN has been hacked too!Let’s get rid of the Dutch!drop t l s $CLIENT any −> any any ( t l s . issuerdn="C=NL" ) ;
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 39 / 44
![Page 73: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/73.jpg)
Example: detect certificate anomaly
Google.com is signed byGoogle Internet AuthorityNot by an other CA(Diginotar by example)If it is the case, this is bad!Let’s block that!
Signature:drop t l s $CLIENT any −> any any ( \
t l s . sub jec t= "C=US, ST= C a l i f o r n i a , L=Mountain View , O=Google Inc , CN=∗. google . com" ; \t l s . issuerdn =! "C=US, O=Google Inc , CN=Google I n t e r n e t A u t h o r i t y " ; )
What! KPN has been hacked too!
Let’s get rid of the Dutch!drop t l s $CLIENT any −> any any ( t l s . issuerdn="C=NL" ) ;
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 39 / 44
![Page 74: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/74.jpg)
Example: detect certificate anomaly
Google.com is signed byGoogle Internet AuthorityNot by an other CA(Diginotar by example)If it is the case, this is bad!Let’s block that!
Signature:drop t l s $CLIENT any −> any any ( \
t l s . sub jec t= "C=US, ST= C a l i f o r n i a , L=Mountain View , O=Google Inc , CN=∗. google . com" ; \t l s . issuerdn =! "C=US, O=Google Inc , CN=Google I n t e r n e t A u t h o r i t y " ; )
What! KPN has been hacked too!Let’s get rid of the Dutch!drop t l s $CLIENT any −> any any ( t l s . issuerdn="C=NL" ) ;
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 39 / 44
![Page 75: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/75.jpg)
Actual limit
Keywords apply only to first certificate of the chain.Impossible to do check on chained certificatesSupported by the parser but not by the keywords.
Some keyword are missing and will be addedused cryptographic algorithmKey sizeDiffie-Hellman parameters
Statistical study and certificate storage
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 40 / 44
![Page 76: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/76.jpg)
1 IntroductionIntroductionGoals of the projectEcosystem
2 FunctionnalitiesList of functionnalitiesSignatures
3 Advanced functionalities of SuricatalibHTPFlow variables
4 Suricata 1.3Extraction et inspection of filesTLS Handshake parser
5 The futureThe roadmapMore information
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 41 / 44
![Page 77: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/77.jpg)
Roadmap
IP and DNS reputationSCADA Preprocessor (thanks to Digital Bond)Keyword geoip
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 42 / 44
![Page 78: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/78.jpg)
How to test it fast and easy?
Already available in Debian, Ubuntu, Gentoo, FreebsdLive distribution:
SIEM live (Suricata + Prelude + Openvas) : https://www.wzdftpd.net/redmine/projects/siem-live/wiki
Smooth-Sec (Suricata + Snorby) :http://bailey.st/blog/smooth-sec/
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 43 / 44
![Page 79: Latest advance in Suricata IDPS - RMLLschedule2012.rmll.info/IMG/pdf/2012_rmll_suricata.pdf · Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced](https://reader035.fdocuments.in/reader035/viewer/2022071213/6033d0c58b673a04ac7f9afc/html5/thumbnails/79.jpg)
Questions
Do you have questions ?
Big thanks:Pierre Chifflier : http://www.wzdftpd.net/blog/The whole OISF team and especially Victor Julien
Related read:OISF website: http://www.openinfosecfoundation.org/Planet suricata: http://planet.suricata-ids.org/Suricata devel site:https://redmine.openinfosecfoundation.org/
Join me:Mail: [email protected]: RegitericBlog: https://home.regit.org
Éric Leblond (OISF) Latest advance in Suricata IDP S July 9th 2012 44 / 44