Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
©2014 KUDELSKI GROUP / All rights reserved. SURICATA IDS Julien Bachmann
Slide 2
Slide 2 text
2 ©2014 KUDELSKI GROUP / All rights reserved. INTRODUCTION IDS or IPS ? Intrusion Detection System Intrusion Prevention System Based on signatures Vulnerability centric
Slide 3
Slide 3 text
3 ©2014 KUDELSKI GROUP / All rights reserved. INTRODUCTION Vulnerability centric Prevention and detection based Assume you know all possible threats Signature based detection Some behavioral approach but not so common No feedback Opposite to threat centric approach
Slide 4
Slide 4 text
4 ©2014 KUDELSKI GROUP / All rights reserved. INTRODUCTION Threat centric Suppose prevention will fail… Based on attackers TTPs Tools, Tactics and Procedures Uses bad experiences as feedback to improve
Slide 5
Slide 5 text
5 ©2014 KUDELSKI GROUP / All rights reserved. INTRODUCTION Suricata Open Source project Run by the Open Information Security Foundation Initiative by DHS in 2008… … but now supported by group of vendors
Slide 6
Slide 6 text
6 ©2014 KUDELSKI GROUP / All rights reserved. INTRODUCTION Also an IPS NetFilter on Linux ipfw on BSD Mode Bridge
Slide 7
Slide 7 text
7 ©2014 KUDELSKI GROUP / All rights reserved. INTRODUCTION Setup on Linux # iptables –I FORWARD –j NFQUEUE # suricata –c … -q 0 … # iptables –F Rules drop keyword
Slide 8
Slide 8 text
8 ©2014 KUDELSKI GROUP / All rights reserved. INTRODUCTION Why not SNORT ? Only solution for quite some time Which has an aging core (ok, v3 is out…) Support multi-threading Support for capture cards or PF_RING on commodity hardware 10Gb/s on Xeon with 8 cores GPU acceleration for regexp matching! who doesn’t have a GPU in their IDS nowadays?
Slide 9
Slide 9 text
9 ©2014 KUDELSKI GROUP / All rights reserved. INTRODUCTION PF_RING
Slide 10
Slide 10 text
10 ©2014 KUDELSKI GROUP / All rights reserved. INTRODUCTION Signatures Support for SNORT ones except SO rules EmergingThreats Customs including LUA scripts for detection with some logic
Slide 11
Slide 11 text
11 ©2014 KUDELSKI GROUP / All rights reserved. INTRODUCTION Deployment Packages or easily self-compiled Configuration suricata.yaml Rules management oinkmaster
Slide 12
Slide 12 text
12 ©2014 KUDELSKI GROUP / All rights reserved. INTRODUCTION For testing purposes The Security Onion Stamus Networks SELKS
Slide 13
Slide 13 text
13 ©2014 KUDELSKI GROUP / All rights reserved. INTRODUCTION Why would I use this ? Complimentary to commercial solution Write your custom rules newly published vulnerability malware infection ongoing incident response capitalize on previous attacks Threat centric approach
Slide 14
Slide 14 text
14 ©2014 KUDELSKI GROUP / All rights reserved. INTRODUCTION Deployment strategies Important rule: Know your network Ingress / Egress points Internet access proxies VPN Partners Copy traffic using port mirroring
Slide 15
Slide 15 text
15 ©2014 KUDELSKI GROUP / All rights reserved. INTRODUCTION
Slide 16
Slide 16 text
16 ©2014 KUDELSKI GROUP / All rights reserved. RULES 101 | PROTOCOL DETECTION Basic idea Look everywhere in the packet Not very fine-grained alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"looking everywhere for overflow"; flow:established; content:"|41 41 41 41|"; content:"|42 42|"; distance:0; classtype:shellcode-detect; sid:1; rev:1;)
Slide 17
Slide 17 text
17 ©2014 KUDELSKI GROUP / All rights reserved. RULES 101 | PROTOCOL DETECTION Next idea Specify ports What if $ADMIN changed default ports? alert tcp $EXTERNAL_NET any -> $HOME_NET [80, 8080] (msg:"looking for web requests"; flow:established; content:"GET /"; nocase; classtype:not-suspicious; sid:1; rev:1;)
Slide 18
Slide 18 text
18 ©2014 KUDELSKI GROUP / All rights reserved. RULES 101 | PROTOCOL DETECTION Better idea Specify protocol Let the engine detect it for you alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"looking for web requests"; flow:established; content:"GET"; http_method; nocase; classtype:not-suspicious; sid:1; rev:1;)
Slide 19
Slide 19 text
19 ©2014 KUDELSKI GROUP / All rights reserved. RULES 101 | PROTOCOL DETECTION Better idea What about the next one? alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"looking for web requests"; flow:established; content:“GET"; content:“POST"; http_method; nocase; classtype:not-suspicious; sid:1; rev:1;)
Slide 20
Slide 20 text
20 ©2014 KUDELSKI GROUP / All rights reserved. RULES 101 | DEMO Analyze malware communications Malware.pcap
Slide 21
Slide 21 text
21 ©2014 KUDELSKI GROUP / All rights reserved. RULES 101 | DEMO • Analyze malware communications – alert tcp any any -> $HOME_NET any (msg:"CyberEye RAT session"; content:"ANABILGI|" sid:1; rev:1;)
Slide 22
Slide 22 text
22 ©2014 KUDELSKI GROUP / All rights reserved. RULES 101 | PROTOCOL DETECTION Several implemented HTTP DNS SMB SSH FTP TLS Jabber … Allows to match specific fields
Slide 23
Slide 23 text
23 ©2014 KUDELSKI GROUP / All rights reserved. RULES 101 | PROTOCOL DETECTION Wait, TLS and SSH? Isn’t it encrypted? Not so fast, no TLS decryption on the fly Mainly allows to extract information Fingerprint IssuerDN …
Slide 24
Slide 24 text
24 ©2014 KUDELSKI GROUP / All rights reserved. RULES 101 | PROTOCOL DETECTION Use case Remember Comodo story? Log proactively
Slide 25
Slide 25 text
25 ©2014 KUDELSKI GROUP / All rights reserved. RULES ADVANCED | FILES No need to dig the PCAPs manually Possible to extract files matching rules Enable file-store in suricata.yaml
Slide 26
Slide 26 text
26 ©2014 KUDELSKI GROUP / All rights reserved. RULES ADVANCED | FILES Store all PDF files alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"PDF downloaded"; fileext:"pdf"; filestore; sid:1; rev:1;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"PDF downloaded"; filemagic:"PDF document"; filestore; sid:1; rev:1;)
Slide 27
Slide 27 text
27 ©2014 KUDELSKI GROUP / All rights reserved. RULES ADVANCED | FILES Detect suspicious files upload alert http $EXTERNAL_NET any -> $DMZ any (msg:"possible webshell upload attempt"; fileext:"png"; filemagic:!"PNG"; filestore; sid:1; rev:1;)
Slide 28
Slide 28 text
28 ©2014 KUDELSKI GROUP / All rights reserved. RULES ADVANCED | FILES Whitelisting uploaded files alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"file upload"; fileext:"exe"; filemd5:!know_good.txt; filestore; sid:1; rev:1;)
Slide 29
Slide 29 text
29 ©2014 KUDELSKI GROUP / All rights reserved. MONITORING | TOOLS How do I review the events? syslog: not that practical Graphical tools $COMMERCIAL_PRODUCT Snorby OSSIM Sguil ELK
Slide 30
Slide 30 text
30 ©2014 KUDELSKI GROUP / All rights reserved. MONITORING | ELK ElasticSearch Logstash Kibana Not really in that order Logstash : read logs and forward and/or transform ElasticSearch : indexed storage Kibana : web interface to ES
Slide 31
Slide 31 text
31 ©2014 KUDELSKI GROUP / All rights reserved. MONITORING | ELK Configuration in Suricata 1. Enable EVE output 2. Configure Logstash to read from EVE file 3. Profit
Slide 32
Slide 32 text
32 ©2014 KUDELSKI GROUP / All rights reserved. MONITORING | DEMO SELK Using Stamus Network SELK
Slide 33
Slide 33 text
33 ©2014 KUDELSKI GROUP / All rights reserved. CONCLUSION | FINAL WORDS Things I did not discuss Sensor hardening LUA scripting engine Rules sets comparison
Slide 34
Slide 34 text
34 ©2014 KUDELSKI GROUP / All rights reserved. CONCLUSION | FINAL WORDS Things to keep in mind There are alternative to commercial tools Preconfigured distributions Incident response can benefit custom rules ELK stack becoming more and more used in DFIR