Performance Testing Suricata The Effect of Configuration Variables On Offline Suricata
The Next Generation Open IDS Engine Suricata and Emerging Threats
-
Upload
joshua-l-davis -
Category
Technology
-
view
2.175 -
download
0
description
Transcript of The Next Generation Open IDS Engine Suricata and Emerging Threats
![Page 1: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/1.jpg)
Open Information Security Foundation
Suricata, The Next Generation IPS
Balancing Open Security Softwarewith
Commercial Interests
Tuesday, August 3, 2010
![Page 2: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/2.jpg)
Introduction
EmergingThreats.net
Open Information Security Foundation
OpenInfoSecFoundation.org
Tuesday, August 3, 2010
![Page 3: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/3.jpg)
A Few Truths
Great Ideas Often Result from Open Collaboration
Tuesday, August 3, 2010
![Page 4: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/4.jpg)
A Few Truths
Open Source Projects Don’tBecome Effective Complete
Products on Their Own
Tuesday, August 3, 2010
![Page 5: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/5.jpg)
A Few Truths
Open Community HippiesDon’t Trust
Vendors
Tuesday, August 3, 2010
![Page 6: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/6.jpg)
A Few Truths
VendorsDon’t Collaborate With
Open Community HippiesWell
Tuesday, August 3, 2010
![Page 7: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/7.jpg)
A Few Truths
The MilitaryDoesn’t Trust
Open Community Hippies
Tuesday, August 3, 2010
![Page 8: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/8.jpg)
A Few Truths
Vendors try to Reinventthe Wheel on EveryMilitary Contract
Tuesday, August 3, 2010
![Page 9: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/9.jpg)
The Result
We have a
Hippie-Vendor-Mil Gap
Tuesday, August 3, 2010
![Page 10: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/10.jpg)
Fixing it...
Tuesday, August 3, 2010
![Page 11: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/11.jpg)
Fixing it...
(please don’t laugh)
Tuesday, August 3, 2010
![Page 12: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/12.jpg)
Fixing it...
(please don’t laugh)
Tuesday, August 3, 2010
![Page 13: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/13.jpg)
Fixing it...
(please don’t laugh)
We Involve The Government
Tuesday, August 3, 2010
![Page 14: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/14.jpg)
Fixing it...
(please don’t laugh)
We Involve The Government
Tuesday, August 3, 2010
![Page 15: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/15.jpg)
A Case Study
Tuesday, August 3, 2010
![Page 16: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/16.jpg)
A Case Study
Intrusion Detection Systems
Tuesday, August 3, 2010
![Page 17: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/17.jpg)
A Case Study
Intrusion Detection Systems12+ Years Old
Tuesday, August 3, 2010
![Page 18: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/18.jpg)
A Case Study
Intrusion Detection Systems12+ Years Old
Open and Proprietary
Tuesday, August 3, 2010
![Page 19: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/19.jpg)
A Case Study
Intrusion Detection Systems12+ Years Old
Open and ProprietaryProductized by EV
Tuesday, August 3, 2010
![Page 20: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/20.jpg)
A Case Study
In the last 5 yearsNo Innovation.
Nada.Zilch.
Nothing.
Tuesday, August 3, 2010
![Page 21: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/21.jpg)
A Case Study
“IDS is Dead.”
-Gartner
Tuesday, August 3, 2010
![Page 22: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/22.jpg)
IDS
•Intrusion Detection Has Not:• Innovated• Gone Multi-Threaded• Integrated with other technologies• Risen to solve our new threats
Tuesday, August 3, 2010
![Page 23: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/23.jpg)
Tuesday, August 3, 2010
![Page 24: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/24.jpg)
OISF
Tuesday, August 3, 2010
![Page 25: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/25.jpg)
OISF
Non-Profit Foundation
Tuesday, August 3, 2010
![Page 26: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/26.jpg)
OISF
Non-Profit FoundationInitially DHS Funded
Tuesday, August 3, 2010
![Page 27: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/27.jpg)
OISF
Non-Profit FoundationInitially DHS Funded
OSH, Mil, and EV Involvement
Tuesday, August 3, 2010
![Page 28: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/28.jpg)
The Dirty Little Secret
Tuesday, August 3, 2010
![Page 29: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/29.jpg)
The Dirty Little Secret
It’s working!
Tuesday, August 3, 2010
![Page 30: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/30.jpg)
The Dirty Little Secret
It’s working!Why?
Tuesday, August 3, 2010
![Page 31: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/31.jpg)
The Dirty Little Secret
Tuesday, August 3, 2010
![Page 32: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/32.jpg)
The Dirty Little Secret
The OSH, EV, Consumers, Mil, and Government
Tuesday, August 3, 2010
![Page 33: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/33.jpg)
The Dirty Little Secret
The OSH, EV, Consumers, Mil, and Government
ALL WANT THE SAME THING
Tuesday, August 3, 2010
![Page 34: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/34.jpg)
The Dirty Little Secret
New IdeasConstant Innovation
Reliable ImplementationsEffective Support
Put their Kids through College
Tuesday, August 3, 2010
![Page 35: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/35.jpg)
Consortium
Tuesday, August 3, 2010
![Page 36: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/36.jpg)
Consortium
Vendors are part of a Consortium
Tuesday, August 3, 2010
![Page 37: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/37.jpg)
Consortium
Vendors are part of a Consortium50/50 voting rights with the Community
Tuesday, August 3, 2010
![Page 38: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/38.jpg)
Consortium
Vendors are part of a Consortium50/50 voting rights with the CommunitySupport required for a non-GPL license
Tuesday, August 3, 2010
![Page 39: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/39.jpg)
OISF Consortium
Tuesday, August 3, 2010
![Page 40: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/40.jpg)
Consortium
•Currently Bringing in 19 New Members•Global Defense Contractors...•Several Government Research Groups•Many CERTs•Universities•Security Vendors (that use other engines...)
Tuesday, August 3, 2010
![Page 41: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/41.jpg)
The Engine
Tuesday, August 3, 2010
![Page 42: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/42.jpg)
Features
Major Goals
Tuesday, August 3, 2010
![Page 43: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/43.jpg)
Features
Multi-Threading
Tuesday, August 3, 2010
![Page 44: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/44.jpg)
Features
Native IPv6 Support
Tuesday, August 3, 2010
![Page 45: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/45.jpg)
Features
Snort Syntax
with additions
Tuesday, August 3, 2010
![Page 46: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/46.jpg)
Features
Automatic Protocol Detection
Tuesday, August 3, 2010
![Page 47: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/47.jpg)
Features
High Speed Regex
Tuesday, August 3, 2010
![Page 48: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/48.jpg)
Features
Advanced HTTP Parsing
Tuesday, August 3, 2010
![Page 49: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/49.jpg)
Features
Multiple Model
Statistical Anomaly Detection
Tuesday, August 3, 2010
![Page 50: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/50.jpg)
Features
Native Hardware Acceleration Support
Tuesday, August 3, 2010
![Page 51: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/51.jpg)
Features
GPU Acceleration
Tuesday, August 3, 2010
![Page 52: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/52.jpg)
Features
IP Reputation
Distributed Blocking and Feedback
Tuesday, August 3, 2010
![Page 53: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/53.jpg)
Features
Scoring Thresholds
Tuesday, August 3, 2010
![Page 54: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/54.jpg)
Features
Very High Speed Regex
Tuesday, August 3, 2010
![Page 55: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/55.jpg)
Features
In Stream File Extraction
Tuesday, August 3, 2010
![Page 56: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/56.jpg)
Features
Web-Based Config Manager
Tuesday, August 3, 2010
![Page 57: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/57.jpg)
Other Features
HTTP Access LoggingSMB Access/Action LoggingWindows INLINE SupportFull Windows SupportVirtual Environment SupportStopbadware.org URI MatchingPassive SSL Decryption
Tuesday, August 3, 2010
![Page 58: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/58.jpg)
Features
Go ask your Commercial Vendor for any of that....
Tuesday, August 3, 2010
![Page 59: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/59.jpg)
Status
Releases•Initial Stable Release, December 31, 2010•Second Stable Release, February 15, 2010•Phase One RC1, May 6, 2010 •Phase One Production, July 1, 2010
Tuesday, August 3, 2010
![Page 60: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/60.jpg)
Get Involved
Brainstorming MeetingJuly 16, 2010San Francisco
Tuesday, August 3, 2010
![Page 61: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/61.jpg)
Get InvolvedInterim Goals:Architecture DocumentationPerformance OptimizationRun Mode Support (Likely Endace completed)Error Code Cleanup and DocumentationFull Documentation (community interactable docs)Advanced Profiling and Engine statsAccuracy ImprovementsAdd Protocol Detections (SMTP, etc)Classifications Update2.8.6 CompatibilityLibHTP Error HandlingHeavy Inline Testing
Tuesday, August 3, 2010
![Page 62: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/62.jpg)
Get Involved
Phase Two:Max Inspection TimeFile Capture in StreamREGEX Optimization/AccelLive Ruleset UpdatesFlow Logging (Netflow)Add Replace keyword supportHost attribute scrubbingURI Matching lookups (stopbadware, websense, etc)CUDA Support
Tuesday, August 3, 2010
![Page 63: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/63.jpg)
Get Involved
Phase Two Team Two:IP Reputation - Explore other items, dns, etcDistributed Blocking Global Flowbits and flowvarsFull Stream CaptureTraffic Redirection
Tuesday, August 3, 2010
![Page 64: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/64.jpg)
What We Need
Tuesday, August 3, 2010
![Page 65: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/65.jpg)
What We Need
Consortium Members
Tuesday, August 3, 2010
![Page 66: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/66.jpg)
What We Need
Consortium Members Coding Support
Tuesday, August 3, 2010
![Page 67: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/67.jpg)
What We Need
Consortium Members Coding Support
Further Government/Mil Support
Tuesday, August 3, 2010
![Page 68: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/68.jpg)
What We Need
Consortium Members Coding Support
Further Government/Mil Support
YOU!
Tuesday, August 3, 2010
![Page 69: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/69.jpg)
Tuesday, August 3, 2010
![Page 70: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/70.jpg)
Will you get involved?
Tuesday, August 3, 2010
![Page 71: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/71.jpg)
Will you get involved?
Questions?
Tuesday, August 3, 2010
![Page 72: The Next Generation Open IDS Engine Suricata and Emerging Threats](https://reader034.fdocuments.net/reader034/viewer/2022051609/547cecdd5806b50d408b4881/html5/thumbnails/72.jpg)
www.EmergingThreats.net
Tuesday, August 3, 2010