suricata idps and nftables: the mixed mode · 2016-06-28 · suricata: ips stream in ips in inline...
TRANSCRIPT
Suricata IDPS and Nftables: The Mixed Mode
Giuseppe Longo
Stamus Networks
2016 June 27
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 1 / 30
1 SuricataIDS / IPSSignaturesNFQUEUENFLOG
2 Mixed ModeIntroductionUsageNinja usage
3 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 1 / 30
1 SuricataIDS / IPSSignaturesNFQUEUENFLOG
2 Mixed ModeIntroductionUsageNinja usage
3 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 1 / 30
Suricata: capture modes
IDSPCAP: multi OS captureAF_PACKET: Linux high performance on vanilla kernelNFLOG: Netfilter on Linux
IPSNFQUEUE: Netfilter on LinuxIPFW: Divert socket on FreeBSDAF_PACKET: Level 2 software bridge
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 2 / 30
Suricata: IDS
IDS behaviorSuricata receives traffic in chunks.
Once the ACK is sent, the chunks are reassembled, and sent to detectengine to inspect it.
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 3 / 30
Suricata: IPS
IPS behaviorIt inspects packets immediately before sending them to thereceiverPackets are inspected using the sliding window concept
It inspects data as they come in until the tcp connection is closed
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 4 / 30
Suricata: IPS
Sliding window conceptSuricata gets the first chunkand inspect itThen gets the second chunk,put it together with the first,and inspect itAt the end, gets the thirdchunk, cut off the first one, puttogether second chunk withthe third, and inspect it
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 5 / 30
Suricata: IPS
Inline modeNormally, we analyse data once we know they have been received bythe receiver, in term of TCP this means after it has been ACKed.In IPS it does not work like this, because the data have reached thehost that we protect.
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 6 / 30
Suricata: IPS
Stream in IPSIn inline mode, data is analysed before they have been ACKed.When Suricata receives a packet, it triggers the reassembly processitself.If the detection engine decides a drop is required, the packetcontaining the data itself can be dropped, not just the ACK.
As a consequence of inline mode, Suricata can drop or modify packetsif stream reassembly requires it.Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 7 / 30
1 SuricataIDS / IPSSignaturesNFQUEUENFLOG
2 Mixed ModeIntroductionUsageNinja usage
3 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 7 / 30
Suricata: administrative side
SignaturesOn the administrative side, we must have signatures with a properaction in our ruleset.An action is a property of the signature which determines what willhappen when a signature matches the incoming, or outcoming, data.
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 8 / 30
Suricata: actions
Actions in IDS modePass
Suricata stops scanning the packet and skips to the end of all rules(only for this packet)
AlertSuricata fires up an alert for the packet matched by a signature
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 9 / 30
Suricata: actions
Actions in IPS modeDrop
If a signature containing a drop action matches a packet, this isdiscarded immediately and won’t be sent any furtherThe receiver doesn’t receive a message, risulting in a time-outconnectionAll subsequent packets of a flow are droppedSuricata generates an alert for this packetThis only concerns the IPS mode
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 10 / 30
Suricata: actions
Actions in IPS modeReject
This is an active rejection of the packet, both receiver and senderreceive a reject packetIf the packet concerns TCP, it will be a reset-packet, otherwise it willbe an ICMP-error packet for all other protocolsSuricata generates an alert tooIn IPS mode, the packet will be dropped as in the drop actionReject in IDS mode is called IDPS
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 11 / 30
1 SuricataIDS / IPSSignaturesNFQUEUENFLOG
2 Mixed ModeIntroductionUsageNinja usage
3 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 11 / 30
Suricata: NFQUEUE
NFQUEUEIt is used in Suricata to work in IPS mode, performing actions onthe packet like DROP or ACCEPT.With NFQUEUE we are able to delegate the verdict on the packetto a userspace softwareThe Linux kernel will ask a userspace software connected to aqueue for a decision
Netfilter’s rulesnft add filter forward queue num 0iptables -A FORWARD -j NFQUEUE –queue-num 0
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 12 / 30
Suricata: NFQUEUE
Suricata and NFQUEUEcommunication
Incoming packet matched by arule is sent to Suricata throughnfnetlinkSuricata receives the packetand issues a verdictdepending on our rulesetThe packet is eithertransmitted or rejected bykernel
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 13 / 30
Suricata: NFQUEUE
NFQUEUE rulequeue-num
queue numberqueue-balance
packet is queued by the same rules to multiple queues which areload balanced
queue-bypasspacket is accepted when no software is listening to the queue
fail-openpacket is accepted when queue is full
batching verdictverdict is sent to all packets
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 14 / 30
Suricata: NFQUEUE
NFQUEUE considerationsNumber of packets on a single queue is limited due to the natureof netlink communicationBatching verdict can help but without an efficient improvementStarting Suricata with multiple queue could improve performance
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 15 / 30
1 SuricataIDS / IPSSignaturesNFQUEUENFLOG
2 Mixed ModeIntroductionUsageNinja usage
3 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 15 / 30
Suricata: NFLOG
NFLOGIt is used in Suricata to work in IDS mode, NFLOG is for LOGgingSimilar to NFQUEUE but it only sends a copy of a packet withoutissuing a verdictThe communication between NFLOG and userspace software ismade through netlink
Netfilter’s rulenft add rule filter input ip log group 10iptables -A INPUT -j NFLOG –nflog-group 10
Group exceptionGroup 0 it’s used by kernel
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 16 / 30
Suricata: NFLOG
NFLOG rulenflog-group
number of the netlink multicast groupnflog-range <N>
number of bytes up to which the packet is copiednflog-threshold
if a packet is matched by a rule, and already N packets are in thequeue, the queue is flushed to userspace
nflog-prefixstring associated with every packet logged
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 17 / 30
1 SuricataIDS / IPSSignaturesNFQUEUENFLOG
2 Mixed ModeIntroductionUsageNinja usage
3 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 17 / 30
1 SuricataIDS / IPSSignaturesNFQUEUENFLOG
2 Mixed ModeIntroductionUsageNinja usage
3 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 17 / 30
Suricata: mixed mode
What is the mixed mode?It’s a feature that permits to get the traffic from different sources,giving us the possibility to choice different capture modes, asNFQUEUE and NFLOG, and mix the IPS and IDS capabilitiesThe key point of mixed mode is the fact you decide on a perpacket basis if handle it as IDS or IPS
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 18 / 30
Suricata: mixed mode
MotivationThis mode gives us two advantages:
Having a mixed environmentWe may want to block some traffic, and inspect some
Technical simplificationWe could have an IPS/IDS system, as mixed mode, running manysuricata instances with different configuration files
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 19 / 30
1 SuricataIDS / IPSSignaturesNFQUEUENFLOG
2 Mixed ModeIntroductionUsageNinja usage
3 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 19 / 30
Mixed mode: usage
ScenarioWeb server on 80: can’t block trafficRest of traffic is less sensitive
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 20 / 30
Mixed mode: usage
Netfilter rulesetWe want to be sure not to cut off a webserver, but we want toinspect port 80nftables
nft add rule filter forward tcp dport not 80 queue num 0nft add rule filter forward tcp dport 80 log group 2
iptablesiptables -A FORWARD -p tcp ! –dport 80 -j NFQUEUEiptables -A FORWARD -p tcp –dport 80 -j NFLOG –nflog-group 2
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 21 / 30
Mixed mode: usage
Suricata configuration
Suricata in mixed modesuricata -c suricata.yaml -q 0 –nflog -v
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 22 / 30
Mixed mode: usage
Scenario 2This time we want to send all traffic of a suspicious IP from IDS toIPSLet’s suppose that we notice a suspiscious IP in the eve log fileand we want to block it
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 23 / 30
Mixed mode: usage
SolutionWe should add a rule to block the incoming traffic from this IP:
nft add rule filter input ip saddr 145.254.160.237This solution is not very performing because if we want to blockanother IP address we need to add another identical rule
rules duplication
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 24 / 30
Mixed mode: usage
Solution improvementBuild a set containing all suspiscious IPs and block all incoming trafficfrom them.
nftables waynft add set filter suspisciousips {type ipv4_addr }nft add element filter suspisciousips {145.254.160.137}nft add rule filter input ip saddr @suspisciousips queue 0
iptables wayipset create suspisciousipsipset add suspisciousips 145.254.160.237iptables -A FORWARD -m set –set suspisciousips -j NFQUEUE–queue-num 0
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 25 / 30
1 SuricataIDS / IPSSignaturesNFQUEUENFLOG
2 Mixed ModeIntroductionUsageNinja usage
3 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 25 / 30
Mixed mode: ninja usage
ScenarioWe are using Suricata on a gateway that inspects all incoming traffic,and in particular we want to block all SSH connections from fake SSHagents.
SolutionSuricata detects an SSH connection and log it to EVE log fileAdd the suspiscious IP to the set
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 26 / 30
Mixed mode: ninja usage
Deny On MonitoringWritten by Eric LeblondImplements a solution similar fail2banIt parses the Suricata EVE log file searching for SSH eventsif the client version is suspiscious, it adds the host to a blacklist byusing nftables or ipset
suspiscious: client version != libssh
ConsequenceSuricata will act as IPS on incoming connection from the suspisciousIPs detected by DOM
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 27 / 30
Rulesets
Netfilter ruleset (nftables)nft add set filter suspisciousips {type ipv4_addr}nft add rule filter input ip saddr @suspisciousips queue 0nft add rule filter input log group 2
Netfilter ruleset (iptables)iptables -A INPUT -m set –set suspisciousips -j NFQUEUE–queue-num 0iptables -A INPUT -j NFLOG –nflog-group 2
Suricata rulesetdrop tcp 192.168.1.4 any -> $SSH_SERVER any(msg:"Unexpected ssh connection"; sid:1234; rev:1234;)alert icmp 192.168.1.4 any -> $SSH_SERVER any (msg:"Pingfrom unexpected client"; sid:5678; rev:5678;)
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 28 / 30
Results
Log examples
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 29 / 30
1 SuricataIDS / IPSSignaturesNFQUEUENFLOG
2 Mixed ModeIntroductionUsageNinja usage
3 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 29 / 30
Question ?
Mixed modeCode not merged yetIt still requres some testingFeedback is appreciated
More informationSuricata: http://www.suricata-ids.org/Netfilter: http://www.netfilter.org/Stamus Networks: https://www.stamus-networks.com/
Contact meMail: [email protected]: @theglongohttps://www.stamus-networks.com
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode 2016 June 27 30 / 30