Clusis Campus 2015 : introduction to Suricata IDS

©2014 KUDELSKI GROUP / All rights reserved.
SURICATA IDS
Julien Bachmann

View Slide

2 ©2014 KUDELSKI GROUP / All rights reserved.
INTRODUCTION
IDS or IPS ?
Intrusion Detection System
Intrusion Prevention System
Based on signatures
Vulnerability centric

View Slide

INTRODUCTION
Vulnerability centric
Prevention and detection based
Assume you know all possible threats
Signature based detection
Some behavioral approach but not so common
No feedback
Opposite to threat centric approach

View Slide

INTRODUCTION
Threat centric
Suppose prevention will fail…
Based on attackers TTPs
Tools, Tactics and Procedures
Uses bad experiences as feedback to improve

View Slide

INTRODUCTION
Suricata
Open Source project
Run by the Open Information Security Foundation
Initiative by DHS in 2008…
… but now supported by group of vendors

View Slide

INTRODUCTION
Also an IPS
NetFilter on Linux
ipfw on BSD
Mode
Bridge

View Slide

INTRODUCTION
Setup on Linux
# iptables –I FORWARD –j NFQUEUE
# suricata –c … -q 0
…
# iptables –F
Rules
drop keyword

View Slide

INTRODUCTION
Why not SNORT ?
Only solution for quite some time
Which has an aging core (ok, v3 is out…)
Support multi-threading
Support for capture cards
or PF_RING on commodity hardware
10Gb/s on Xeon with 8 cores
GPU acceleration for regexp matching!
who doesn’t have a GPU in their IDS nowadays?

View Slide

INTRODUCTION
PF_RING

View Slide

INTRODUCTION
Signatures
Support for SNORT ones
except SO rules
EmergingThreats
Customs
including LUA scripts for detection with some logic

View Slide

INTRODUCTION
Deployment
Packages or easily self-compiled
Configuration
suricata.yaml
Rules management
oinkmaster

View Slide

INTRODUCTION
For testing purposes
The Security Onion
Stamus Networks SELKS

View Slide

INTRODUCTION
Why would I use this ?
Complimentary to commercial solution
Write your custom rules
newly published vulnerability
malware infection
ongoing incident response
capitalize on previous attacks
Threat centric approach

View Slide

INTRODUCTION
Deployment strategies
Important rule: Know your network
Ingress / Egress points
Internet access proxies
VPN
Partners
Copy traffic using port mirroring

View Slide

INTRODUCTION

View Slide

RULES 101 | PROTOCOL DETECTION
Basic idea
Look everywhere in the packet
Not very fine-grained
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"looking everywhere for
overflow"; flow:established; content:"|41 41 41 41|"; content:"|42 42|";
distance:0; classtype:shellcode-detect; sid:1; rev:1;)

View Slide

Next idea
Specify ports
What if $ADMIN changed default ports?
alert tcp $EXTERNAL_NET any -> $HOME_NET [80, 8080] (msg:"looking for web
requests"; flow:established; content:"GET /"; nocase; classtype:not-suspicious;
sid:1; rev:1;)

View Slide

Better idea
Specify protocol
Let the engine detect it for you
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"looking for web requests";
flow:established; content:"GET"; http_method; nocase; classtype:not-suspicious;
sid:1; rev:1;)

View Slide

Better idea
What about the next one?
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"looking for web requests";
flow:established; content:“GET"; content:“POST"; http_method; nocase;
classtype:not-suspicious; sid:1; rev:1;)

View Slide

RULES 101 | DEMO
Analyze malware communications
Malware.pcap

View Slide

RULES 101 | DEMO
• Analyze malware communications
– alert tcp any any -> $HOME_NET any (msg:"CyberEye RAT session";
content:"ANABILGI|" sid:1; rev:1;)

View Slide

Several implemented
HTTP
DNS
SMB
SSH
FTP
TLS
Jabber
…
Allows to match specific fields

View Slide

Wait, TLS and SSH? Isn’t it encrypted?
Not so fast, no TLS decryption on the fly
Mainly allows to extract information
Fingerprint
IssuerDN
…

View Slide

Use case
Remember Comodo story?
Log proactively

View Slide

RULES ADVANCED | FILES
No need to dig the PCAPs manually
Possible to extract files matching rules
Enable file-store in suricata.yaml

View Slide

Store all PDF files
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"PDF downloaded";
fileext:"pdf"; filestore; sid:1; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"PDF downloaded";
filemagic:"PDF document"; filestore; sid:1; rev:1;)

View Slide

Detect suspicious files upload
alert http $EXTERNAL_NET any -> $DMZ any (msg:"possible webshell upload attempt";
fileext:"png"; filemagic:!"PNG"; filestore; sid:1; rev:1;)

View Slide

Whitelisting uploaded files
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"file upload"; fileext:"exe";
filemd5:!know_good.txt; filestore; sid:1; rev:1;)

View Slide

MONITORING | TOOLS
How do I review the events?
syslog: not that practical
Graphical tools
$COMMERCIAL_PRODUCT
Snorby
OSSIM
Sguil
ELK

View Slide

MONITORING | ELK
ElasticSearch Logstash Kibana
Not really in that order
Logstash : read logs and forward and/or transform
ElasticSearch : indexed storage
Kibana : web interface to ES

View Slide

MONITORING | ELK
Configuration in Suricata
1. Enable EVE output
2. Configure Logstash to read from EVE file
3. Profit

View Slide

MONITORING | DEMO
SELK
Using Stamus Network SELK

View Slide

CONCLUSION | FINAL WORDS
Things I did not discuss
Sensor hardening
LUA scripting engine
Rules sets comparison

View Slide

CONCLUSION | FINAL WORDS
Things to keep in mind
There are alternative to commercial tools
Preconfigured distributions
Incident response can benefit custom rules
ELK stack becoming more and more used in DFIR

View Slide

Clusis Campus 2015 : introduction to Suricata IDS

Clusis Campus 2015 : introduction to Suricata IDS

Julien Bachmann

More Decks by Julien Bachmann

Other Decks in Technology

Featured

Transcript