suricata - .suricata ‰ric leblond / victor julien oisf march 12, 2013 ‰ric leblond /...

Download Suricata - .Suricata ‰ric Leblond / Victor Julien OISF March 12, 2013 ‰ric Leblond / Victor Julien

Post on 16-Sep-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Suricata

    ric Leblond / Victor Julien

    OISF

    March 12, 2013

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 1 / 41

  • 1 SuricataEcosystemGoals of the projectFeaturesAdvanced functionalities

    2 IPSIPS basicsStream inlineIPS advanced functions

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 2 / 41

  • IDS? IPS?

    System to uncover malicious/unwanted activity on your network byinspecting the network traffic.

    IDS(Network) Intrusion Detection SystemPassive, it only looks and alerts the adminCompare to security camera

    IPS(Network) Intrusion Prevention SystemActive, tries to prevent badness from happeningCompare to security checkpoint

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 3 / 41

  • Suricata reconstruction and normalization

    https://home.regit.org/~regit/decomp-en.svg

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 4 / 41

    https://home.regit.org/~regit/decomp-en.svg

  • Similar projects

    BroDifferent technology (capture oriented)Statistical studyScriptingComplementary

    SnortEquivalentCompatibleCompeting project

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 5 / 41

  • Suricata vs Snort

    SuricataDriven by a foundationMulti-threadedNative IPSAdvanced functions(flowint, libHTP, LuaJITscripting)PF_RING support, CUDAsupportModern and modular codeYoung but dynamic

    SnortDeveloped by SourcefireMulti-processIPS supportSO ruleset (advanced logic+ perf but closed)No hardware accelerationOld code10 years of experience

    Independant study:http://www.aldeid.com/index.php/Suricata-vs-snort

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 6 / 41

    http://www.aldeid.com/index.php/Suricata-vs-snort

  • Suricata with Snort ruleset

    Not optimisedDont use any advanced features

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 7 / 41

  • Suricata with dedicated ruleset

    Uses Suricata optimised detectionUses Suricata advanced keywordsCan get one for free fromhttp://www.emergingthreats.net/

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 8 / 41

    http://www.emergingthreats.net/

  • About OISF

    Open Information Security Foundationhttp://www.openinfosecfoundation.org

    Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:

    Paying DevelopersFinancial support of related projects (barnyard2)Board which oversees foundation managementRoadmap is defined in public brainstorm sessions

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 9 / 41

    http://www.openinfosecfoundation.org

  • About OISF

    Open Information Security Foundationhttp://www.openinfosecfoundation.org

    Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:

    Paying Developers

    Financial support of related projects (barnyard2)Board which oversees foundation managementRoadmap is defined in public brainstorm sessions

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 9 / 41

    http://www.openinfosecfoundation.org

  • About OISF

    Open Information Security Foundationhttp://www.openinfosecfoundation.org

    Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:

    Paying DevelopersFinancial support of related projects (barnyard2)

    Board which oversees foundation managementRoadmap is defined in public brainstorm sessions

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 9 / 41

    http://www.openinfosecfoundation.org

  • About OISF

    Open Information Security Foundationhttp://www.openinfosecfoundation.org

    Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:

    Paying DevelopersFinancial support of related projects (barnyard2)Board which oversees foundation management

    Roadmap is defined in public brainstorm sessions

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 9 / 41

    http://www.openinfosecfoundation.org

  • About OISF

    Open Information Security Foundationhttp://www.openinfosecfoundation.org

    Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:

    Paying DevelopersFinancial support of related projects (barnyard2)Board which oversees foundation managementRoadmap is defined in public brainstorm sessions

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 9 / 41

    http://www.openinfosecfoundation.org

  • About OISF

    Consortium membersHOST program: Homeland Open Security TechnologyPlatinium level: BAE Systems, nPulseGold level: Tilera, Endace, Emerging ThreatsBronze level: SRC, Everis, NitroSecurity, Myricom, EmulexTechnology partner: Napatech, Nvidia

    DevelopersLead: Victor JulienCore Developers: Anoop Saldanha, Eric LeblondDevelopers: serveral from consortium members, community.Suricata has been created by about 35 developers so far.

    BoardProject leader: Matt JonkmanRichard Bejtlich, Dr. Jose Nazario, Joel Ebrahimi, Marc Norton,Stuart Wilson

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 10 / 41

  • About OISF

    Consortium membersHOST program: Homeland Open Security TechnologyPlatinium level: BAE Systems, nPulseGold level: Tilera, Endace, Emerging ThreatsBronze level: SRC, Everis, NitroSecurity, Myricom, EmulexTechnology partner: Napatech, Nvidia

    DevelopersLead: Victor JulienCore Developers: Anoop Saldanha, Eric LeblondDevelopers: serveral from consortium members, community.Suricata has been created by about 35 developers so far.

    BoardProject leader: Matt JonkmanRichard Bejtlich, Dr. Jose Nazario, Joel Ebrahimi, Marc Norton,Stuart Wilson

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 10 / 41

  • About OISF

    Consortium membersHOST program: Homeland Open Security TechnologyPlatinium level: BAE Systems, nPulseGold level: Tilera, Endace, Emerging ThreatsBronze level: SRC, Everis, NitroSecurity, Myricom, EmulexTechnology partner: Napatech, Nvidia

    DevelopersLead: Victor JulienCore Developers: Anoop Saldanha, Eric LeblondDevelopers: serveral from consortium members, community.Suricata has been created by about 35 developers so far.

    BoardProject leader: Matt JonkmanRichard Bejtlich, Dr. Jose Nazario, Joel Ebrahimi, Marc Norton,Stuart Wilson

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 10 / 41

  • Goals

    Bring new technologies to IDSPerformance: Multi-Threading, Hardware accelerationOpen source: community driven (GPLv2)Support of Linux / *BSD / Mac OSX / Windows

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 11 / 41

  • Features

    IPv6 native support

    Multi-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detectionAdvanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)IP Reputation and GeoIP

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41

  • Features

    IPv6 native supportMulti-threaded

    Native hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detectionAdvanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)IP Reputation and GeoIP

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41

  • Features

    IPv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)

    Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detectionAdvanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)IP Reputation and GeoIP

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41

  • Features

    IPv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisation

    Optimized support of IP only testsIPS is native (inline mode)Protocol detectionAdvanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)IP Reputation and GeoIP

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41

  • Features

    IPv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only tests

    IPS is native (inline mode)Protocol detectionAdvanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)IP Reputation and GeoIP

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41

  • Features

    IPv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)

    Protocol detectionAdvanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)IP Reputation and GeoIP

    ric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41

  • Features

    IPv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP