Latest advance in Suricata I D P S



Similar documents
Suricata 2.0, Netfilter and the PRC

D&D of malware with exotic C&C

Network Security Monitoring

COUNTERSNIPE

Intrusion Detection Architecture Utilizing Graphics Processors

EZ Snort Rules Find the Truffles, Leave the Dirt. David J. Bianco Vorant Network Security, Inc. 2006, Vorant Network Security, Inc.

The Power of SNORT SNORT Update

Analysis of Network Packets. C DAC Bangalore Electronics City

Vuurmuur - iptables manager

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Snort Installation - Ubuntu FEUP. SSI - ProDEI Paulo Neto and Rui Chilro. December 7, 2010

Configuring Snort as a Firewall on Windows 7 Environment

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Suricata IDS. What is it and how to enable it

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Configuring Snort as a Firewall on Windows 7 Environment

Chapter 17. Transport-Level Security

Network Security Management

Network Traffic Analysis

From Network Security To Content Filtering

W3Perl A free logfile analyzer

BEGINNER S GUIDE to. Open Source Intrusion Detection Tools.

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Dynamic Rule Based Traffic Analysis in NIDS

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Network Payload Analysis for Advanced Persistent Threats Charles Smutz, Lockheed Martin CIRT

Open Source in Government: Delivering Network Security, Flexibility and Interoperability

A COMPARATIVE ANALYSIS OF OPEN- SOURCE INTRUSION DETECTION SYSTEMS

Network Security, ISA 656, Angelos Stavrou. Snort Lab

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik

TLS and SRTP for Skype Connect. Technical Datasheet

CTS2134 Introduction to Networking. Module Network Security

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

Penetration Testing with Kali Linux

Network Defense Tools

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Online Network Intrusion Detection System Using Temporal Logic and Stream Data Processing

Network Security Monitoring

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Traffic Analyzer Based on Data Flow Patterns

Intrusion Detection Systems (IDS)

IDS and Penetration Testing Lab III Snort Lab

Web Application Firewall

The Bro Network Intrusion Detection System

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

How To Protect Your Network From Attack From Outside From Inside And Outside

USE HONEYPOTS TO KNOW YOUR ENEMIES

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Network Security. Lecture 3

Fighting Advanced Persistent Threats (APT) with Open Source Tools

Web Security Considerations

Repsheet. A Behavior Based Approach to Web Application Security. Aaron Bedra Application Security Lead Braintree Payments. tirsdag den 1.

SSL/TLS. What Layer? History. SSL vs. IPsec. SSL Architecture. SSL Architecture. IT443 Network Security Administration Instructor: Bo Sheng

Infrastructure for active and passive measurements at 10Gbps and beyond

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

SSL BEST PRACTICES OVERVIEW

provides several new features and enhancements, and resolves several issues reported by WatchGuard customers.

Quantitative Analysis of Intrusion Detection Systems: Snort and Suricata

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

JOOMLA REFLECTION DDOS-FOR-HIRE

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Fighting Advanced Persistent Threats (APT) with Open Source Tools

Configuring SSL Termination

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Snapt Balancer Manual

Network Security Monitoring

Acano solution. Security Considerations. August E

Cleaning Encrypted Traffic

Kaseya Server Instal ation User Guide June 6, 2008

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

HAProxy 1.5 and beyond

IDS / IPS. James E. Thiel S.W.A.T.

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

A Study of What Really Breaks SSL HITB Amsterdam 2011

Transport Level Security

nmap, nessus, and snort Vulnerability Analysis & Intrusion Detection

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Bro at 10 Gps: Current Testing and Plans

42goISP Documentation

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

ERserver. iseries. Secure Sockets Layer (SSL)

Implementing Cisco IOS Network Security

Network Based Intrusion Detection Using Honey pot Deception

Connecting with Computer Science, 2e. Chapter 5 The Internet

ModSecurity The Open Source Web Application Firewall

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Network Security Essentials Chapter 5

IONA Security Platform

FIREWALL AND NAT Lecture 7a

Transcription:

Latest advance in Suricata I D P S Éric Leblond OISF July 9th 2012 Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 1 / 44

1 Introduction Introduction Goals of the project Ecosystem 2 Functionnalities List of functionnalities Signatures 3 Advanced functionalities of Suricata libhtp Flow variables 4 Suricata 1.3 Extraction et inspection of files TLS Handshake parser 5 The future The roadmap More information Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 2 / 44

Suricata? (C) Jean-Marie Hullot, CC BY 3.0 Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 3 / 44

Suricata? (C) Jean-Marie Hullot, CC BY 3.0 Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 3 / 44

Introduction Éric Leblond Initial and lead developer of NuFW Netfilter Contributor (mainly ulogd2 and userpace interaction) Suricata core developer (IPS, multicore optimisation,... ) Independant Open Source et security consultant... Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 4 / 44

About OISF Open Information Security Foundation http://www.openinfosecfoundation.org Non-profit foundation organized to build a next generation IDS/IPS engine Funded by US Governement (DHS, Navy) Development of an Open Source IDS/IPS: Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 5 / 44

About OISF Open Information Security Foundation http://www.openinfosecfoundation.org Non-profit foundation organized to build a next generation IDS/IPS engine Funded by US Governement (DHS, Navy) Development of an Open Source IDS/IPS: Developers financement Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 5 / 44

About OISF Open Information Security Foundation http://www.openinfosecfoundation.org Non-profit foundation organized to build a next generation IDS/IPS engine Funded by US Governement (DHS, Navy) Development of an Open Source IDS/IPS: Developers financement Financial support of related projects (barnyard2) Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 5 / 44

About OISF Open Information Security Foundation http://www.openinfosecfoundation.org Non-profit foundation organized to build a next generation IDS/IPS engine Funded by US Governement (DHS, Navy) Development of an Open Source IDS/IPS: Developers financement Financial support of related projects (barnyard2) Board who defines big orientation Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 5 / 44

About OISF Open Information Security Foundation http://www.openinfosecfoundation.org Non-profit foundation organized to build a next generation IDS/IPS engine Funded by US Governement (DHS, Navy) Development of an Open Source IDS/IPS: Developers financement Financial support of related projects (barnyard2) Board who defines big orientation Roadmap is defined in public reunion Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 5 / 44

About OISF Consortium members HOST program: Homeland Open Security Technology Platinium level: BAE systems Gold level: Npulse, Endace, Emerging Threats Bronze level: SRC, Everis, Bivio networks, Nitro Security, Mara systems,... Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 6 / 44

About OISF Consortium members HOST program: Homeland Open Security Technology Platinium level: BAE systems Gold level: Npulse, Endace, Emerging Threats Bronze level: SRC, Everis, Bivio networks, Nitro Security, Mara systems,... Technology partner: Napatech, Nvidia Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 6 / 44

About OISF Consortium members HOST program: Homeland Open Security Technology Platinium level: BAE systems Gold level: Npulse, Endace, Emerging Threats Bronze level: SRC, Everis, Bivio networks, Nitro Security, Mara systems,... Technology partner: Napatech, Nvidia Developers Leader : Victor Julien Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 6 / 44

About OISF Consortium members HOST program: Homeland Open Security Technology Platinium level: BAE systems Gold level: Npulse, Endace, Emerging Threats Bronze level: SRC, Everis, Bivio networks, Nitro Security, Mara systems,... Technology partner: Napatech, Nvidia Developers Leader : Victor Julien Developers: Anoop Saldanha, Gurvinder Singh, Pablo Rincon, William Metcalf, Eric Leblond,... Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 6 / 44

About OISF Consortium members HOST program: Homeland Open Security Technology Platinium level: BAE systems Gold level: Npulse, Endace, Emerging Threats Bronze level: SRC, Everis, Bivio networks, Nitro Security, Mara systems,... Technology partner: Napatech, Nvidia Developers Leader : Victor Julien Developers: Anoop Saldanha, Gurvinder Singh, Pablo Rincon, William Metcalf, Eric Leblond,... Board Matt Jonkmann Richard Bejtlich, Dr. Jose Nazario, Joel Ebrahimi, Marc Norton, Stuart Wilson... Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 6 / 44

Goals Bring new technologies to IDS Performance Multi-threads Hardware acceleration http://packetchaser.org/index.php/opensource/ suricata-10gbps Open source Support of Linux / *BSD / Mac OSX / Windows Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 7 / 44

Similar projects Bro Different technology (capture oriented) Statistical study Snort Equivalent Compatible Frontal concurrence Sourcefire has felt endangered and has been aggressive http://www.informationweek.com/news/software/ enterprise_apps/226400079 Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 8 / 44

Suricata vs Snort Suricata Drived by a foundation Multi-threaded Native IPS Advanced functions (flowint, libhtp) PF_RING support, CUDA support Modern and modular code Young but dynamic Snort Developed by Sourcefire Multi-process IPS support SO ruleset (advanced logic + perf but closed) No hardware acceleration Old code 10 years of experience Independant study: http://www.aldeid.com/index.php/suricata-vs-snort Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 9 / 44

Suricata with snort ruleset Not optimised Don t use any advanced feature Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 10 / 44

Suricata with dedicated ruleset Use Suricata optimised matchs Use Suricata advanced keywords Can get one from http://www.emergingthreats.net/ Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 11 / 44

1 Introduction Introduction Goals of the project Ecosystem 2 Functionnalities List of functionnalities Signatures 3 Advanced functionalities of Suricata libhtp Flow variables 4 Suricata 1.3 Extraction et inspection of files TLS Handshake parser 5 The future The roadmap More information Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 12 / 44

Fonctionnalities Ipv6 native support Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 13 / 44

Fonctionnalities Ipv6 native support Multi-threaded Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 13 / 44

Fonctionnalities Ipv6 native support Multi-threaded Native hardware acceleration (PF_RING, Napatech, Endace, Myricom) Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 13 / 44

Fonctionnalities Ipv6 native support Multi-threaded Native hardware acceleration (PF_RING, Napatech, Endace, Myricom) Numerous options for performance optimisation Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 13 / 44

Fonctionnalities Ipv6 native support Multi-threaded Native hardware acceleration (PF_RING, Napatech, Endace, Myricom) Numerous options for performance optimisation Optimized support of IP only tests Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 13 / 44

Fonctionnalities Ipv6 native support Multi-threaded Native hardware acceleration (PF_RING, Napatech, Endace, Myricom) Numerous options for performance optimisation Optimized support of IP only tests IPS is native (inline mode) Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 13 / 44

Fonctionnalities Ipv6 native support Multi-threaded Native hardware acceleration (PF_RING, Napatech, Endace, Myricom) Numerous options for performance optimisation Optimized support of IP only tests IPS is native (inline mode) Protocol detection Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 13 / 44

Global architecture Chained treatment modules Each running mode can have its own architecture Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 14 / 44

Global architecture Chained treatment modules Each running mode can have its own architecture Architecture of mode "pcap auto v1": Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 14 / 44

Global architecture Chained treatment modules Each running mode can have its own architecture Architecture of mode "pcap auto v1": Fine setting of CPU preferences Attach a thread to a CPU Attach a threads family to a CPU set Allow IRQs based optimisation Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 14 / 44

Entry modules IDS PCAP live, multi interface offline support AF_PACKET PF_RING: mutltithread http://www.ntop.org/pf_ring.html Capture card support: Napatech, Myricom, Endace Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 15 / 44

Entry modules IDS IPS PCAP live, multi interface offline support AF_PACKET PF_RING: mutltithread http://www.ntop.org/pf_ring.html Capture card support: Napatech, Myricom, Endace NFQueue: Linux: multi-queue, advanced support Windows ipfw : FreeBSD NetBSD Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 15 / 44

Output modules Fastlog Unified log (Barnyard 1 & 2) HTTP log (log in apache-style format) Prelude (IDMEF) Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 16 / 44

Suricata Ecosystem Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 17 / 44

Signatures Support almost all snort ruleset features Exclusive features used by VRT ou Emerging Threats rulesets alert tcp any any -> 192.168.1.0/24 21 (content: "USER root"; msg: "FTP root login";) Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 18 / 44

Signatures Support almost all snort ruleset features Exclusive features used by VRT ou Emerging Threats rulesets alert tcp any any -> 192.168.1.0/24 21 (content: "USER root"; msg: "FTP root login";) Action: alert / drop / pass Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 18 / 44

Signatures Support almost all snort ruleset features Exclusive features used by VRT ou Emerging Threats rulesets alert tcp any any -> 192.168.1.0/24 21 (content: "USER root"; msg: "FTP root login";) IP parameters Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 18 / 44

Signatures Support almost all snort ruleset features Exclusive features used by VRT ou Emerging Threats rulesets alert tcp any any -> 192.168.1.0/24 21 (content: "USER root"; msg: "FTP root login";) Motif Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 18 / 44

Signatures Support almost all snort ruleset features Exclusive features used by VRT ou Emerging Threats rulesets alert tcp any any -> 192.168.1.0/24 21 (content: "USER root"; msg: "FTP root login";) Other parameters Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 18 / 44

1 Introduction Introduction Goals of the project Ecosystem 2 Functionnalities List of functionnalities Signatures 3 Advanced functionalities of Suricata libhtp Flow variables 4 Suricata 1.3 Extraction et inspection of files TLS Handshake parser 5 The future The roadmap More information Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 19 / 44

libhtp Security oriented HTTP parser Written by Ivan Ristić (ModSecurity, IronBee) Flow tracking Support of keywords http_body http_raw_uri http_header http_cookie... Able to decode gzip compressed flows Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 20 / 44

Using HTTP features in signature Signature example: Chat facebook alert http $HOME_NET any > $EXTERNAL_NET $HTTP_PORTS \ ( msg: "ET CHAT Facebook Chat ( send message ) " ; \ flow : established, to_server ; content : "POST" ; http_method ; \ content : " / ajax / chat / send. php " ; h t t p _ u r i ; content : " facebook. com" ; http_header ; \ classtype : p o l i c y v i o l a t i o n ; reference : u r l, doc. emergingthreats. net /2010784; \ reference : url,www. emergingthreats. net / cgi bin / cvsweb. cgi / sigs / POLICY / POLICY_Facebook_Chat ; \ sid :2010784; rev : 4 ; \ ) This signature tests: The HTTP method: POST The page: /ajax/chat/send.php The domain: facebook.com Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 21 / 44

Flow variables Objectives Detection of in-multiple-step attack Verify condition on a flow Modify alert treatment State machine inside each flow Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 22 / 44

Flow variables Objectives Detection of in-multiple-step attack Verify condition on a flow Modify alert treatment State machine inside each flow Flowbits boolean condition Set a flag Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 22 / 44

Flow variables Objectives Detection of in-multiple-step attack Verify condition on a flow Modify alert treatment State machine inside each flow Flowbits boolean condition Set a flag Flowint Define counter Arithmetic operation Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 22 / 44

1 Introduction Introduction Goals of the project Ecosystem 2 Functionnalities List of functionnalities Signatures 3 Advanced functionalities of Suricata libhtp Flow variables 4 Suricata 1.3 Extraction et inspection of files TLS Handshake parser 5 The future The roadmap More information Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 23 / 44

Suricata 1.3 New hardware support: Myricom, Endace, Napatech TLS/SSL handshake parser Better performances On the fly MD5 calculation and matching for files in HTTP streams Scripts for looking up files/file md5s at Virus Total and others (contributed by Martin Holste) http_user_agent keyword for matching on the HTTP User-Agent header Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 24 / 44

More scability Flow engine: removal of a contention point and better hash function. Thresholding and Tag engines: fine locking instead of global one. Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 25 / 44

In the engine Less memory New ac-bs algorithm From 35G with ac-full to less than 4G for ac-bs Handling 1Gb/s with 7000 rules Rule engine improvement Reload ruleset without breaking the flow analysis Rule analyser Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 26 / 44

Extraction et inspection of files Get files from HTTP downloads and uploads Detect information about the file using libmagic Type of file Other details... A dedicated extension of signature language Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 27 / 44

Dedicated keywords filemagic : description of content alert http any any > any any (msg: " windows exec " ; \ f i l e m a g i c : " executable f o r MS Windows " ; sid : 1 ; rev : 1 ; ) filestore : store file for inspection alert http any any > any any (msg: " windows exec " ; filemagic : " executable f o r MS Windows " ; \ f i l e s t o r e ; sid : 1 ; rev : 1 ; ) fileext : file extension alert http any any > any any (msg: " jpg claimed, but not jpg f i l e " ; \ f i l e e x t : " jpg " ; \ f i l e m a g i c :! "JPEG image data " ; sid : 1 ; rev : 1 ; ) filename : file name alert http any any > any any (msg: " sensitive f i l e leak " ; filename : " secret " ; sid : 1 ; rev : 1 ; ) Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 28 / 44

Examples Files sending on a server only accepting PDF a l e r t http $EXTERNAL_NET > $WEBSERVER any (msg: " suspicious upload " ; \ flow : established, to_server ; content : "POST" http_method ; \ content : " / upload. php " ; h t t p _ u r i ; \ filemagic :! "PDF document " ; \ f i l e s t o r e ; sid : 1 ; rev : 1 ; ) Private keys in the wild alert http $HOME_NET any > $EXTERNAL_NET any (msg: " outgoing private key " ; \ f i l e m a g i c : "RSA p r i v a t e key " ; sid : 1 ; rev : 1 ; ) Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 29 / 44

Disk storage Every file is stored on disk with a metadata file Disk usage limit can be set Scripts for looking up files / file md5 s at Virus Total and others Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 30 / 44

Actual limit of files extraction Limited to the HTTP protocol Storage limit are suboptimal MS Office files are not decoded Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 31 / 44

TLS Handshake parser TLS is an application in Suricata way Automatic detection of protocol Independent of port Made by pattern matching Dedicated keywords Usable in the signatures Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 32 / 44

Other supported applications HTTP : keywords: http_uri, http_body, http_user_agent,... SMTP FTP keyword: ftpbounce SSH keywords: ssh.softwareversion, ssh.protoversion DCERPC SMB Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 33 / 44

A TLS handshake parser No traffic decryption Method Analyse of TLS handshake Parsing of TLS messages A security-oriented parser Coded from scratch Provide a hackable code-base for the feature No external dependency Contributed by Pierre Chifflier (ANSSI) With security in mind: Resistance to attacks (audit, fuzzing) Anomaly detection Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 34 / 44

A handshake parser The syntax alert tcp $HOME_NET any > $EXTERNAL_NET 443 becomes alert t l s $HOME_NET any > $EXTERNAL_NET any Interest: No dependency to IP params Pattern matching is limited to identified protocol Less false positive More performance Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 35 / 44

TLS keywords TLS.version: Match protocol version number TLS.subject: Match certificate subject TLS.issuerdn: Match the name of the CA which has signed the key More to come Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 36 / 44

TLS keywords TLS.version: Match protocol version number TLS.subject: Match certificate subject TLS.issuerdn: Match the name of the CA which has signed the key More to come TLS.fingerprint: Match the fingerprint of the certificate Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 36 / 44

Example: verify security policy (1/2) Environnement: A company with servers With an official PKI Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 37 / 44

Example: verify security policy (1/2) Environnement: A company with servers With an official PKI The goal: Verify that the PKI is used Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 37 / 44

Example: verify security policy (1/2) Environnement: A company with servers With an official PKI The goal: Verify that the PKI is used Without working too much Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 37 / 44

Example: verify security policy (2/2) Let s check that the certificates used when a client negotiate a connection to one of our servers are the good one Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 38 / 44

Example: verify security policy (2/2) Let s check that the certificates used when a client negotiate a connection to one of our servers are the good one The signature: alert t l s any any > $SERVERS any ( t l s. issuerdn :! "C=NL, O=Staat der Nederlanden, \ CN=Staat der Nederlanden Root CA" ; ) Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 38 / 44

Example: detect certificate anomaly Google.com is signed by Google Internet Authority Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 39 / 44

Example: detect certificate anomaly Google.com is signed by Google Internet Authority Not by an other CA Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 39 / 44

Example: detect certificate anomaly Google.com is signed by Google Internet Authority Not by an other CA (Diginotar by example) Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 39 / 44

Example: detect certificate anomaly Google.com is signed by Google Internet Authority Not by an other CA (Diginotar by example) If it is the case, this is bad! Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 39 / 44

Example: detect certificate anomaly Google.com is signed by Google Internet Authority Not by an other CA (Diginotar by example) If it is the case, this is bad! Let s block that! Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 39 / 44

Example: detect certificate anomaly Google.com is signed by Google Internet Authority Not by an other CA (Diginotar by example) If it is the case, this is bad! Let s block that! Signature: drop t l s $CLIENT any > any any ( \ t l s. subject="c=us, ST=California, L=Mountain View, O=Google Inc, CN=. google.com" ; \ t l s. issuerdn =! "C=US, O=Google Inc, CN=Google Internet Authority " ; ) Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 39 / 44

Example: detect certificate anomaly Google.com is signed by Google Internet Authority Not by an other CA (Diginotar by example) If it is the case, this is bad! Let s block that! Signature: drop t l s $CLIENT any > any any ( \ t l s. subject="c=us, ST=California, L=Mountain View, O=Google Inc, CN=. google.com" ; \ t l s. issuerdn =! "C=US, O=Google Inc, CN=Google Internet Authority " ; ) What! KPN has been hacked too! Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 39 / 44

Example: detect certificate anomaly Google.com is signed by Google Internet Authority Not by an other CA (Diginotar by example) If it is the case, this is bad! Let s block that! Signature: drop t l s $CLIENT any > any any ( \ t l s. subject="c=us, ST=California, L=Mountain View, O=Google Inc, CN=. google.com" ; \ t l s. issuerdn =! "C=US, O=Google Inc, CN=Google Internet Authority " ; ) What! KPN has been hacked too! Let s get rid of the Dutch! drop t l s $CLIENT any > any any ( t l s. issuerdn="c=nl" ) ; Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 39 / 44

Actual limit Keywords apply only to first certificate of the chain. Impossible to do check on chained certificates Supported by the parser but not by the keywords. Some keyword are missing and will be added used cryptographic algorithm Key size Diffie-Hellman parameters Statistical study and certificate storage Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 40 / 44

1 Introduction Introduction Goals of the project Ecosystem 2 Functionnalities List of functionnalities Signatures 3 Advanced functionalities of Suricata libhtp Flow variables 4 Suricata 1.3 Extraction et inspection of files TLS Handshake parser 5 The future The roadmap More information Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 41 / 44

Roadmap IP and DNS reputation SCADA Preprocessor (thanks to Digital Bond) Keyword geoip Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 42 / 44

How to test it fast and easy? Already available in Debian, Ubuntu, Gentoo, Freebsd Live distribution: SIEM live (Suricata + Prelude + Openvas) : https: //www.wzdftpd.net/redmine/projects/siem-live/wiki Smooth-Sec (Suricata + Snorby) : http://bailey.st/blog/smooth-sec/ Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 43 / 44

Questions Do you have questions? Big thanks: Pierre Chifflier : http://www.wzdftpd.net/blog/ The whole OISF team and especially Victor Julien Related read: OISF website: http://www.openinfosecfoundation.org/ Planet suricata: http://planet.suricata-ids.org/ Suricata devel site: https://redmine.openinfosecfoundation.org/ Join me: Mail: eric@regit.org Twitter: Regiteric Blog: https://home.regit.org Éric Leblond (OISF) Latest advance in Suricata IP D S July 9th 2012 44 / 44

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information