Registration | Continental Breakfast
State of Suricata
Let’s Try Something New With Storage for Suricata!
Champ Clark III
It seems that everyone is satisfied with storing their Suricata data in Elasticsearch or OpenSearch. While Elasticsearch is great, it may be overkill for some tasks. Elasticsearch requires you to understand Java, sharding, memory allocation and limitations, etc. There is no such thing as “quickly” ramping up an Elasticsearch instance. For “small” projects, systems with limited resources or rapid development, Elasticsearch’s overhead can be a headache.
This talk focuses on a “lightweight” Elasticsearch alternative known as “Zinc” (https://github.com/zinclabs/zinc). Zinc is written in Golang and can be up and running in a couple of minutes. The idea behind Zinc is to be fast, simple and have a much smaller memory footprint. Zinc’s ingestion API is compatible with Elasticsearch, which means your applications may already be ready to use with Zinc!
This talk will focus on how we use Meer (https://github.com/quadrantsec/meer), and other ingestion tools, to get Suricata data into Zinc. This talk will also demonstrate that impressive results can be achieved with Zinc, even on systems with limited resources.
Pwning Suricata for Fun and Defense
This talk will start from a known fixed vulnerability in Suricata, and will cover what it takes to build an exploit from it to get arbitrary code execution, so as to study what additional in-depth defense counter-measures may be implemented in Suricata.
Jupyter Playbooks for Suricata
Suricata produces a lot of data. EVE has over 1000 distinct JSON fields over large amount of supported event types. Likewise, rulesets contain tens of thousands of rules. This makes it difficult to truly understand the data, and users often need to resort to large SIEM and data analytics engines for doing that.
Jupyter notebook is a interactive data exploration tool that originated from scientific communities. In the recent years, they have become increasingly more popular for threat hunting and incident response. This talk demonstrates how Stamus Networks uses Jupyter notebooks for Suricata rule exploration, R&D prototyping for threat hunting and analytics, and in our upcoming open suricata-analytics threat hunting playbooks.
Partner Sponsor Level Recognition
Suricata Datasets: Powerful IOC Checking and Anomaly Detection
Suricata 5 introduced the dataset feature into the code base. While this was way back in 2019, still many developers do not fully understand its capabilities. Suricata now has the ability to match on a list of more than 50 different buffers, and check a list of hostnames against an “unknown bad” database in the HTTP hostname or in the TLS Server Name Indication, or check an HTTP user agent list. And these lists may consist of just a few items or millions of them, and can be evaluated in real time without degrading the system performance. In an even-less-understood application, the dataset feature can be used to create a learned list, tracking what is seen on the network and when. This can be used to build a new class of machine-learning based anomaly detection.
Attendees will learn:
- The basics of Suricata datasets
- How datasets can be used to check for matches against a list of known IOCs
- How to incorporate MISP threat intelligence sharing into your Suricata implementation
- How datasets can be used for the foundation of network-based anomaly detection
Community Leader Spotlight
Scaling Suricata on AWS with AWS Gateway Load Balancer
Adam Palmer, Scott Morrison, & Jesper Eneberg
AWS Gateway Load Balancer (GWLB) can help you deploy and scale security appliances in AWS. In this workshop, we’ll focus on integrating GWLB with Suricata’s open-source threat detection engine. We’ll cover the mechanics of GWLB, build rules for GeoIP blocking, and write scripts for enhanced malware detection. The architecture will rely on AWS Transit Gateway for centralized inspection and you will automate the entire solution using a GitOps CI/CD approach.
Suricata Roadmap | Part 1
Thursday, November 10 — Day 2
Log4Shell Case Study: Using Suricata for Incident Response
Log4j? Log4Shell? I feel like I’ve heard those terms before; For this and so many exploits before, Suricata has been my reliable source for intrusion detection and analysis.
In this hands-on talk, we’ll walk through how the vulnerability is exploited and what part it plays in the attack chain. You’ll have an opportunity to emulate the attack or follow along as I demonstrate the attack and how to detect this activity with Suricata.
This talk takes a purple team approach by discussing the defender’s and attacker’s infrastructure, attack execution, and how to analyze the traffic for identification and detection. We’ll pay special attention to the approach Suricata takes when analyzing this type of an attack and dive into some rule analysis on detecting various bypass mechanisms.
I’ll leave you with configured docker containers, detection mechanisms, and full instructions on how to emulate and detect this attack within your own environment.
In Hot Pursuit: Hunting with Metadata for Recently Disclosed CVEs
When a new CVE (e.g. Log4J, Printing Nightmare, Fellina) with broad applicability and/or serious consequences is announced, security teams often face tremendous pressure from management to answer basic questions about the impact on their organization: Are we vulnerable? Have we been targeted? Have we been breached? The great news is that if Suricata has been deployed in the network, these questions can be answered fairly quickly even if there are no signatures for it. In this talk, we look under the hood to identify the components of Suricata that can be used to spot specific CVE exploits and what developers and rule writers can do to make this easier for users.
Attendees will learn:
* What components of Suricata are relevant to the search for attempts to exploit the CVE
* How to leverage the power of Suricata to hunt for the attempted exploits
* What developers can do to make the hunt for these exploits more user friendly
* Where to find third party threat intelligence and rules to spot these exploits
* Tips to writing rules or protocol data queries for capturing data about the exploit attempts
Adding a New Protocol to Suricata: Live!
Juliana Fajardini Reichow
Often the Suricata community has questions about how to add a new protocol to the engine: how to get started, what are the mandatory points, how to get log output or detection… In this talk, we will cover the main steps for adding a new protocol to Suricata in Rust, using as a use-case a subset of messages from the STUN protocol (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators (NAT’s)).
The talk format will be a live coding session, during which the attendees will see, for a small subset of messages from the STUN protocol, how to:
– generate the basic methods necessary for Suricata to recognize STUN traffic (parsing messages and decoding traffic)
– generate eve-log output
– add Suricata-Verify tests
– add detection abilities
The idea is to provide the attendees with the basics for folks to feel comfortable successfully implementing a new protocol into Suricata.
Enhancing Suricata Performance with a DPI Engine
Whether used for active threat blocking or passive threat detection, Suricata’s functional performance can be improved by integrating it with open source or commercial DPI software. This talk will provide examples of how such an integration can enable Suricata to 1) detect threats cloaked by evasive techniques such as tunneling, encryption, and spoofing, 2) improve white- and blacklisting through expanded application and protocol recognition (even for encrypted traffic), 3) reduce false positives and false negatives through more detailed and accurate classification, and 4) improve threat hunting and forensics through contextual metadata.
The presentation will cover:
-The current state of DPI technology (form factors and capabilities)
-How Suricata and DPI complement one another to improve network protection
-Examples of enhanced visibility and threat detection DPI enables
-Sample architectures for integrating these two technologies.
Partner Sponsor Level Recognition
Detecting Lateral Movements with Suricata Multi-Tenant Setups in Zero Trust Network Architectures
Nidhi V. Singhai & Vagisha Gupta
We live in a world where breaches happen on a daily basis. Traditional security models emphasize on threat actors that are external to the network and place implicit trust on internal assets. This means that once the network has been infiltrated, malicious entities have free access across the network. Thus detecting lateral movement quickly and accurately is of high significance in order to prevent malicious actors from expanding their reach within an organization. Zero trust network architecture (ZTNA) removes implicit trust on the users and enables threat detection on lateral traffic as well. One of the primary factors of ZTNA networks is segmentation and multi-tenancy. While segmentation divides the client networks into sub-networks, multi-tenancy enables granular controls of the different segments with different security policies. In this talk, we explore how Suricata can be run in a multi-tenant setup to achieve a Zero Trust architecture. We will expand on the Suricata capabilities that can be used in such an architecture and how the data can be visually analyzed in threat hunting.
Distributed Sensor Network: Development and Implementation of a Distributed Sensor Network Using Suricata on a Brazilian Academic Network
Driven by the need for greater autonomy in detecting malicious activity at Brazilian academic networks, CAIS/RNP, the Brazilian National Academic and Research Network CSIRT — which serves a constituency of approximately 1500 institutions — developed its monitoring solution based on an open-source Network IDS/IPS (Suricata) using a master-engine model and incorporating additional features and customizations to obtain an efficient, easily-managed and complete solution for proactive detection of network security incidents, thus facilitating the day-to-day of incident handlers and strengthening the CSIRT incident handling capability, which is one of the core services of any CSIRT.
Suricata and CodeQL: Hunting Bugs with Yet Another Static Analysis Tool
Thibaut Hansmann & Hugo Florenty
CodeQL is a static analysis tool developed by GitHub Security Lab to find vulnerabilities, especially in open source software. CodeQL lets you query code as though it were data, with its query language. Based on past bugfixes of Suricata, four new queries were written to look for other variants of these bugs. A configuration file was added to Suricata to allow CodeQL to run as part of GitHub CI actions and catch new bugs before they reach the development branches. Last, these queries were then run on more than 1800 other open source projects to scale up bug finding.
Suricata Roadmap | Part 2
Friday, November 11 — Day 3
OISF — Foundation Status Report and Updates
Customizable Decay: How to Maximize Suricata Event Utility in Finite Space
Sascha Steinbiss, Matthias Vallentin, & Benno Evers
In addition to its rule-based alerting, Suricata provides a rich metadata feed that summarizes network activity as structured events. This observed activity proves invaluable for post-hoc incident response, proactive threat hunting, and alert contextualization. In large environments, it is not trivial to back-haul this data to a central location. Large links generate terabytes of data daily, and data residency requirements often restrict data shipping. Given finite space at the edge, how do we maximize metadata retention span?
In this talk, we present design, implementation, and empirical analysis of metadata compaction of Suricata events in the VAST telemetry engine. We demonstrate how operators can flexibly configure incremental data aging to reduce the storage footprint of events gracefully. In contrast to the naive approach of deleting the oldest data points, compaction still retains key details for security analysis, preserving as much informational value as possible while gradually stripping expendable content from events.
In a case study, we show using concrete examples how this notion of event decay increases retention periods considerably. We report on our experience of running compaction in a live production environment at DCSO, where Suricata-based sensors feed a high-volume stream of EVE-JSON into VAST instances that store and continuously compact metadata.
Accelerating Suricata with DPDK Prefilters: 386 Days Later
Last year, there has been a talk that presented an introduction to the DPDK support in Suricata. It also presented a vision of what a future DPDK integration into Suricata can look like. The vision consisted of a small program, Prefilter, placed in between NICs and Suricata. Prefilter, responsible for Suricata acceleration, could either reduce the incoming traffic or add metadata to the incoming packets. It also provides a vendor-independent option for Suricata development.
This talk brings an update on how the vision is becoming a reality. After a quick refresh of the vision, the talk presents current Prefilter architecture with already existing Prefilter features such as inter-process communication or an asynchronous bypass. But most importantly, the talk also presents the results of the first experiments.
Suricata’s Integration with Cyber Ranges
Chris “BigBiz” Brown
Gone are the days of “sure, I know Suricata” or post-course exams that have static questions and multiple choice answers. These days, it’s “trust but verify” and there’s no better way to do that than engaging in setting students, candidates, SOC teams and those that need to validate their skills into a cyber range, live-fire cyber exercises or simulations platform that comprehensively verifies and validates skills & knowledge through range operations for observation, performance measurement, dynamic analysis & next level feedback for advancing skills & proficiency.
In this talk, the theme would be “Westworld (sort of) meets Suricata on the cyber range of yesterday, today and tomorrow.”
For reference: https://en.wikipedia.org/wiki/Westworld_(TV_series)
Specific topics to be discussed:
- Individual and Team scenarios that Suricata can be used for a specific class of incidents
- Range and exercise monitoring for metrics
- Real world attack scenarios to scale up an individual or team’s analytic ability based on relevant and recent events within the past 6-18 months
- Risk assessment and evaluation using customer or organization rulesets against simulations to profile signature efficacy mapping to quad chart style false positive, true positive, false negative, excessive firing scoring
Intersection of open source vs licensing required to enable “advanced” features for SOC team collaboration during cyber range and simulation exercises
Partner Sponsor Level Recognition
Suricata Roadmap | Part 3