Brandon Devault

Log4j? Log4Shell? I feel like I’ve heard those terms before; For this and so many exploits before, Suricata has been my reliable source for intrusion detection and analysis.

In this hands-on talk, we’ll walk through how the vulnerability is exploited and what part it plays in the attack chain. You’ll have an opportunity to emulate the attack or follow along as I demonstrate the attack and how to detect this activity with Suricata.

This talk takes a purple team approach by discussing the defender’s and attacker’s infrastructure, attack execution, and how to analyze the traffic for identification and detection. We’ll pay special attention to the approach Suricata takes when analyzing this type of an attack and dive into some rule analysis on detecting various bypass mechanisms.

I’ll leave you with configured docker containers, detection mechanisms, and full instructions on how to emulate and detect this attack within your own environment.

Peter Manev

When a new CVE (e.g. Log4J, Printing Nightmare, Fellina) with broad applicability and/or serious consequences is announced, security teams often face tremendous pressure from management to answer basic questions about the impact on their organization: Are we vulnerable? Have we been targeted? Have we been breached? The great news is that if Suricata has been deployed in the network, these questions can be answered fairly quickly even if there are no signatures for it. In this talk, we look under the hood to identify the components of Suricata that can be used to spot specific CVE exploits and what developers and rule writers can do to make this easier for users.

Attendees will learn:
* What components of Suricata are relevant to the search for attempts to exploit the CVE
* How to leverage the power of Suricata to hunt for the attempted exploits
* What developers can do to make the hunt for these exploits more user friendly
* Where to find third party threat intelligence and rules to spot these exploits
* Tips to writing rules or protocol data queries for capturing data about the exploit attempts

Juliana Fajardini Reichow

Often the Suricata community has questions about how to add a new protocol to the engine: how to get started, what are the mandatory points, how to get log output or detection… In this talk, we will cover the main steps for adding a new protocol to Suricata in Rust, using as a use-case a subset of messages from the STUN protocol (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators (NAT’s)).

The talk format will be a live coding session, during which the attendees will see, for a small subset of messages from the STUN protocol, how to:

– generate the basic methods necessary for Suricata to recognize STUN traffic (parsing messages and decoding traffic)

– generate eve-log output

– add Suricata-Verify tests

– add detection abilities

The idea is to provide the attendees with the basics for folks to feel comfortable successfully implementing a new protocol into Suricata.

Sebastien Synold

Whether used for active threat blocking or passive threat detection, Suricata’s functional performance can be improved by integrating it with open source or commercial DPI software. This talk will provide examples of how such an integration can enable Suricata to 1) detect threats cloaked by evasive techniques such as tunneling, encryption, and spoofing, 2) improve white- and blacklisting through expanded application and protocol recognition (even for encrypted traffic), 3) reduce false positives and false negatives through more detailed and accurate classification, and 4) improve threat hunting and forensics through contextual metadata.

The presentation will cover:
-The current state of DPI technology (form factors and capabilities)
-How Suricata and DPI complement one another to improve network protection
-Examples of enhanced visibility and threat detection DPI enables
-Sample architectures for integrating these two technologies.
-Q&A

Nidhi V. Singhai & Vagisha Gupta

We live in a world where breaches happen on a daily basis. Traditional security models emphasize on threat actors that are external to the network and place implicit trust on internal assets. This means that once the network has been infiltrated, malicious entities have free access across the network. Thus detecting lateral movement quickly and accurately is of high significance in order to prevent malicious actors from expanding their reach within an organization. Zero trust network architecture (ZTNA) removes implicit trust on the users and enables threat detection on lateral traffic as well. One of the primary factors of ZTNA networks is segmentation and multi-tenancy. While segmentation divides the client networks into sub-networks, multi-tenancy enables granular controls of the different segments with different security policies. In this talk, we explore how Suricata can be run in a multi-tenant setup to achieve a Zero Trust architecture. We will expand on the Suricata capabilities that can be used in such an architecture and how the data can be visually analyzed in threat hunting.

Rildo Souza

Driven by the need for greater autonomy in detecting malicious activity at Brazilian academic networks, CAIS/RNP, the Brazilian National Academic and Research Network CSIRT — which serves a constituency of approximately 1500 institutions — developed its monitoring solution based on an open-source Network IDS/IPS (Suricata) using a master-engine model and incorporating additional features and customizations to obtain an efficient, easily-managed and complete solution for proactive detection of network security incidents, thus facilitating the day-to-day of incident handlers and strengthening the CSIRT incident handling capability, which is one of the core services of any CSIRT.

Thibaut Hansmann & Hugo Florenty

CodeQL is a static analysis tool developed by GitHub Security Lab to find vulnerabilities, especially in open source software. CodeQL lets you query code as though it were data, with its query language. Based on past bugfixes of Suricata, four new queries were written to look for other variants of these bugs. A configuration file was added to Suricata to allow CodeQL to run as part of GitHub CI actions and catch new bugs before they reach the development branches. Last, these queries were then run on more than 1800 other open source projects to scale up bug finding.