Amsterdamize your firewall

Similar documents
Suricata 2.0, Netfilter and the PRC

Ulogd2, Advanced firewall logging

Vuurmuur - iptables manager

Platform as a Service and Container Clouds

D&D of malware with exotic C&C

Log management with Logstash and Elasticsearch. Matteo Dessalvi

Introduction. Background

Basic & Advanced Administration for Citrix NetScaler 9.2

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Using NXLog with Elasticsearch and Kibana. Using NXLog with Elasticsearch and Kibana

Building a Continuous Integration Pipeline with Docker

FileRunner Security Overview. An overview of the security protocols associated with the FileRunner file delivery application

OpenStack/Quantum SDNbased network virtulization with Ryu

Snort Installation - Ubuntu FEUP. SSI - ProDEI Paulo Neto and Rui Chilro. December 7, 2010

What is included in the ATRC server support

Network Security Management

Efficient Management of System Logs using a Cloud Radoslav Bodó, Daniel Kouřil CESNET. ISGC 2013, March 2013

VMware vcenter Log Insight Getting Started Guide

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

VMware vcenter Log Insight Getting Started Guide

How To Test The Bandwidth Meter For Hyperv On Windows V (Windows) On A Hyperv Server (Windows V2) On An Uniden V2 (Amd64) Or V2A (Windows 2

SyncThru Database Migration

Case Study 2 SPR500 Fall 2009

Linux Network Security

NuFirewall. Open-source authenticating firewall

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Secure your Docker images

SysPatrol - Server Security Monitor

Logging on a Shoestring Budget

Firewalls P+S Linux Router & Firewall 2013

There are numerous ways to access monitors:

Log Management with Open-Source Tools. Risto Vaarandi SEB Estonia

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

LICENSE4J LICENSE ACTIVATION AND VALIDATION PROXY SERVER USER GUIDE

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Real-time Data Analytics mit Elasticsearch. Bernhard Pflugfelder inovex GmbH

Integrating SAP BusinessObjects with Hadoop. Using a multi-node Hadoop Cluster

TSM Studio Server User Guide

Configuring Snort as a Firewall on Windows 7 Environment

Software Defined Networking (SDN) OpenFlow and OpenStack. Vivek Dasgupta Principal Software Maintenance Engineer Red Hat

Configuring Snort as a Firewall on Windows 7 Environment

Information Retrieval Elasticsearch

Intrusion Detection Systems (IDS)

CHEF IN THE CLOUD AND ON THE GROUND

Andrew Moore Amsterdam 2015

Secure use of iptables and connection tracking helpers

Why should you look at your logs? Why ELK (Elasticsearch, Logstash, and Kibana)?

Monitoring Linux and Windows Logs with Graylog Collector. Bernd Ahlers Graylog, Inc.

Source Code Review Using Static Analysis Tools

Parallels Plesk Automation

SolarWinds Log & Event Manager

Modern Web development and operations practices. Grig Gheorghiu VP Tech Operations Nasty Gal

OpenDaylight & PacketFence install guide. for PacketFence version 4.5.0

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

owncloud Architecture Overview

EOP ASSIST: A Software Application for K 12 Schools and School Districts Installation Manual

Blackboard Open Source Monitoring

mypro Installation and Handling Manual Version: 7

Processing millions of logs with Logstash

Desktop : Ubuntu Desktop, Ubuntu Desktop Server : RedHat EL 5, RedHat EL 6, Ubuntu Server, Ubuntu Server, CentOS 5, CentOS 6

Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi,

DevOoops Increase awareness around DevOps infra security. Gianluca

Network Security Monitoring

Things to consider before you do an In-place upgrade to Windows 10. Setup Info. In-place upgrade to Windows 10 Enterprise with SCCM

Dynamic Honeypot Construction

Intro to Docker and Containers

OnCommand Performance Manager 1.1

EZblue BusinessServer The All - In - One Server For Your Home And Business

Working with Docker on Microsoft Azure

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

EXPLORING LINUX KERNEL: THE EASY WAY!

VMware vcenter Log Insight Security Guide

Automated Data Ingestion. Bernhard Disselhoff Enterprise Sales Engineer

Easy Setup Guide 1&1 CLOUD SERVER. Creating Backups. for Linux

Local Caching Servers (LCS): User Manual

Linstantiation of applications. Docker accelerate

How To Install Storegrid Server On Linux On A Microsoft Ubuntu 7.5 (Amd64) Or Ubuntu (Amd86) (Amd77) (Orchestra) (For Ubuntu) (Permanent) (Powerpoint

Data Sheet. NCP Secure Enterprise Management. Next Generation Network Access Technology

What Does Tequila Have to Do with Managing Macs? Using Open Source Tools to Manage Mac OS in the Enterprise!

DDoS Attacks. An open-source recipe to improve fast detection and automate mitigation techniques

Log management with Graylog2 Lennart Koopmann, FrOSCon Mittwoch, 29. August 12

RingStor User Manual. Version 2.1 Last Update on September 17th, RingStor, Inc. 197 Route 18 South, Ste 3000 East Brunswick, NJ

Pro Puppet. Jeffrey McCune. James TurnbuII. Apress* m in

syslog-ng: nyers adatból Big Data

NETWORK SECURITY HACKS *

ADAM 5.5. System Requirements

Log Management with Open-Source Tools. Risto Vaarandi rvaarandi 4T Y4H00 D0T C0M

Trend Micro Worry- Free Business Security st time setup Tips & Tricks

Products, Features & Services

insync Installation Guide

Device Log Export ENGLISH

COUNTERSNIPE

Who did what, when, where and how MySQL Audit Logging. Jeremy Glick & Andrew Moore 20/10/14

Firewall Rulebase Analysis Tool

ALERT installation setup

McAfee Network Security Platform 8.2

E-Commerce for IT Advanced. Louis Aguila & Matt Burt

Transcription:

Amsterdamize your firewall É. Leblond Stamus Networks 2016 June 27 É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 1 / 27

Éric Leblond Éric Leblond aka @Regiteric Netfitler coreteam and Suricata core developer Co-founder of Stamus Networks É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 2 / 27

Disclaimer Disclaimer This talk does not aim to hurt the feeling of Dutch people in the assitance. So it will not cover subjects like certificates authorities or soccer. Ontkenning Katje poesje Nelletje waar ben je toch geweest? Je hebt verbrand je velletje je was zo n aardig beest. É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 3 / 27

Suricata key points afpacket netmap Netfilter afpacket ipfw pcap IDS IPS Port independant detection Prelude Output Architecture Metadata extraction Syslog Suricata Protocol analysis Redis JSON Protocols HTTP SSH SMTP Lua for advance analysis Intrusion detection Signatures DNS TLS Multi step attacks Protocol keywords É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 4 / 27

SELKS An installable and live ISO Based on Debian live A running Suricata configured and manageable via a web interface Contenu Suricata: git version Signature based IDS Network Security Monitoring engine Open source Elasticsearch: database, full search text Logstash: collect info and store them in Elasticsearch Kibana: dashboard interface for data analysis Scirius: web interface for suricata ruleset management É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 5 / 27

Docker Light weight virtualization Containers based Use cgroup Various namespaces Application repository Pull an application Fire it Forget it É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 6 / 27

Suricata Docker QA Buildbot and prscript A Python system to automate the compile/test cycle to validate code changes. Prscript is pre Pull Request script: Known developers have to run it before PR Trigger a series of build in the buildbot Also some basic functional tests Docker mode for prscript Buildbot installed in a docker container Ready to use via prscript Available in docker hub Configuration in the source É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 7 / 27

Docker compose Orchestration Create distributed applications Distributed applications consist of many small applications that work together. Principle Define containers to start Bind mount as shared folders /etc/hosts to established relation É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 8 / 27

Amsterdam: SELKS meet Docker SELKS components Suricata: latest release ELK: latest version including Kibana 4 Evebox Scirius Docker Using Compose With official ELK containers É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 9 / 27

Install Amsterdam Installation pip i n s t a l l amsterdam # v e r i f y version p i p show amsterdam # create an instance i n the ams d i r e c t o r y amsterdam d ams i wlan0 setup # s t a r t instance amsterdam d ams s t a r t Utilisation Point your browser to https://localhost/ or on the IP of server if on an external box. É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 10 / 27

Amsterdamize your firewall Install Amsterdam on your firewall Amsterdam on an existing firewall Sniff one of the network interfaces Dashboards everywhere Firewall do logs Logs are not in the dashboards É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 11 / 27

At the beginning was syslog Pre Netfilter days Flat packet logging One line per packet A lot of information Non searchable É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 12 / 27

At the beginning was syslog Pre Netfilter days Flat packet logging One line per packet A lot of information Non searchable Not sexy INPUT DROP IN=eth0 OUT= MAC=00:1a:92:05:ee:68:00:b0:8e:83:3b:f0:08:00 SRC=62.212.121.211 DST=91.121 IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=4 IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.23 DST=192.168.11.3 LEN= IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=4 IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=4 É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 12 / 27

Ulogd2: complete Netfilter logging Ulogd2 Interact with the post 2.6.14 libraries Rewrite of ulogd SCTP support (developed during @philpraxis talk at hack.lu 2008) multiple output and input through the use of stack libnetfilter_log (generalized ulog) Packet logging IPv6 ready Few structural modification libnetfilter_conntrack (new) Connection tracking logging Accounting, logging É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 13 / 27

Ulogd: output and configuration Sexify output Syslog and file output SQL output: PGSQL, MySQL, SQLite Graphite JSON output Some stack examples stack=log2:nflog,base1:base,ifi1:ifindex, \ ip2str1:ip2str,mac2str1:hwhdr,json1:json stack=ct1:nfct,mark1:mark,ip2str1:ip2str,pgsql2:pgsql É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 14 / 27

Plan of Amsterdam Data directories backups elasticsearch, scirius suricata Config files directories sub directories of config directory: evebox logstash nginx scirius suricata docker directory docker-compose.yml É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 15 / 27

Inject Ulogd2 data in Amsterdam The suricata data directory Readable by logstash Any JSON files will be parsed by ulogd2 É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 16 / 27

Inject Ulogd2 data in Amsterdam The suricata data directory Readable by logstash Any JSON files will be parsed by ulogd2 Inject data Update ulogd2 configuration Change output target: [ json1 ] sync=1 f i l e = " / path / to / amsterdam / s u r i c a t a / ulogd. json " É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 16 / 27

Ulogd2 in Amsterdam É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 17 / 27

Plotting TCP window at start OS passive fingerprinting Value of TCP window at start is not specified in RFC The value is a choice of the OS We can use this for identification Value for some OSes 8192: Windows 7 SP1 65535: Mac OS X 10.2-10.7 14600: Some Linux 5840: Some other Linux Source: http://noc.to/#help:tcpsynpacketsignature É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 18 / 27

The facts É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 19 / 27

The facts É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 20 / 27

The facts É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 21 / 27

The facts É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 22 / 27

Suricata meet Netfilter Ulogd2 as an Amsterdam component Install ulogd2 inside a container Get the netlink message to the container É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 23 / 27

Suricata meet Netfilter Ulogd2 as an Amsterdam component Install ulogd2 inside a container Get the netlink message to the container Docker compose configuration ulogd : b u i l d : / path / to / ams / docker / ulogd volumes : / path / to / ams / s u r i c a t a : / var / log / s u r i c a t a : rw / path / to / ams / c o n f i g / ulogd / ulogd. conf : / etc / ulogd. conf : ro cap_add : NET_ADMIN net : host É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 23 / 27

Add ulogd Ulogd2 Dockerfile FROM debian : j e s s i e run apt get update run DEBIAN_FRONTEND= n o n i n t e r a c t i v e apt get i n s t a l l y ulogd2 CMD [ " / usr / sbin / ulogd ", " c ", " / etc / ulogd. conf " ] Start the system amsterdam d ams s t a r t É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 24 / 27

Elasticsearch 2.0 and backward compatibility É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 25 / 27

Get a fix in Amsterdam Install logstash plugin: update docker/logstash/dockerfile FROM logstash : 2. 3 ADD e l a s t i c s e a r c h template. json / opt / logstash / vendor / bundle / j r u b y / 1. 9 / gems RUN / opt / logstash / bin / logstash p l u g i n i n s t a l l logstash f i l t e r de_dot Install logstash config in config/logstash f i l t e r { de_dot { }... É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 26 / 27

Conclusion Amsterdam Easy to install Suricata ecosystem Easy tuning More information Suricata: http://www.suricata-ids.org/ Amsterdam : https://github.com/stamusnetworks/amsterdam Stamus Networks : https://www.stamus-networks.com/ É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 27 / 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information