Agenda

Wednesday, October 20 — Day 1

All times listed are EDT.

8:00-9:15

Registration | Continental Breakfast

9:15-9:30

Welcome

9:30-10:15

State of Suricata (Pre-recorded with live Q&A)

Victor Julien

10:15-11:00

Machine Learning and Network Traffic Metadata-based Tunneling Protocols Detection and Classification (Pre-recorded with live Q&A)

Johan Mazel

The proportion of encrypted network traffic is steadily increasing on the Internet. Traditional payload inspection must thus be combined with TLS interception to remain functional. This greatly complicates the deployment of tools such as IDSes. Furthermore, malicious actors often also rely on encryption to hide exchanged data, and thus reduce detection odds. In this context, network traffic metadata (e.g. packet size and timing) have been previously used in combination with machine learning techniques on many tasks related to network traffic analysis such as traffic classification, website fingerprinting in the context of DoH (DNS over HTTPS), or malware detection.

In this work, we address the detection and classification of existing tunneling techniques (SSH, IPsec, OpenVPN and Wireguard). We target one open-world scenario (tunneling detection) and two closed world scenarios (tunnel classification and application classification inside a tunnel). We use both existing labeled network traffic, and generate our own traffic in a virtualized environment. We leverage state-of-the-art features such as packet sizes, Inter-Arrival Times (IAT), byte and packet bursts, along with classical features available in Netflow v5 and v9. Our contribution is a thorough comparison of machine learning techniques and previously presented features, regarding the scenarios defined above. We also provide a performance lower bound for the considered scenarios.

11:00-11:15

Break

11:15-11:45

The Art of QA GitLab Automation (We have a full tank of gas, half a pack of cigarettes, it's dark, and we're wearing sunglasses.)

Corey Thomas and Peter Manev

In this talk we will take you for a trip and share some of the lessons learned and challenges we have experienced during automating Suricata testing with Gitlab.

Some of the big challenges of Suricata QA have always been to pick up specific public or private PRs and give visibility into their performance and accuracy impact with security in mind. Running those PRs through a fully automated pipeline doing IDS/IPS, ASAN, stats and other checks and displaying the deviations might not be trivial to automate or pinpoint the exact problem reported. The big challenge is to run both against static and dynamic pcap sets and trex dynamic runs and to automatically give feedback into Github/Gitlab and online chat systems to the team and public of the results. All of that hands off, fully automated.

11:45-12:30

Distributing Security Content to Detect Threats Across Past, Present, and Future (Pre-recorded with live Q&A)

Sascha Steinbiss and Matthias Vallentin

An IDS/IPS is only as good as the security content it is running. Besides time-tested curated, precompiled rule sets, Suricata operators can choose from many threat intelligence providers and platforms (TIP) that deliver up-to-date content for Suricata-based alerting and hunting.

We present a software system to leverage today’s STIX-capable TIPs to drive automated detection, allowing operators to quickly disseminate security content across a large sensor fleet, as well as efficiently detect indicators from massive IoC collections. We show how we built a federated system able to live-match millions of indicators in high-volume traffic as well as detect threats in the past by retroactively matching new indicators against stored metadata—without the need for a single centralized database cluster. The high degree of automation and publish-subscribe architecture enable a fast mean-time-to-detection. Our system also provides a unified alert reporting workflow for both live and retro alerts, enabling seamless downstream processing in Suricata-like EVE-JSON format.

All components of the described system are available as Free Software.

12:30-12:45

Sponsor Spotlight

12:45-1:45

Lunch

1:45-2:30

Drinking from the Firehose

Timothy Heilman and Joseph Feather

As networks grow and technology changes there is more and more dependency on networks to provide larger amounts of bandwidth. Organizations are enhancing local network and WAN infrastructure with Cloud services, Multimedia, Connected Vehicle, and other big data services, as a result, larger data pipes are required to provide needed throughput. In order to protect and maintain visibility on a corporate network, security technologies, in this case NSM (Suricata and other services), need to be able to analyze network traffic speeds up to and exceeding 100Gb/s with full packet capture at scale. Our presentation will show how General Motors architects NSM to ingest, store and process large volumes of network traffic.

2:30-3:15

Accelerating Suricata with DPDK Prefilters (Pre-recorded with live Q&A)

Lukas Sismis

Pushing Suricata bandwidth to handle up to 100+ Gbit/s of traffic is a challenging task that has not been clearly answered. Traffic bypass (like XDP) is one of the popular approaches to achieve better results.

With a similar concept in mind, we will introduce DPDK prefilters. On the contrary to eBPF (XDP) programs, implementation of the prefilters uses standard C and builds upon the Data Plane Development Kit (DPDK). The concept of DPDK prefilters extends an already implemented DPDK capture interface. This capture interface alone has increased Suricata performance by up to 16% compared to AF_PACKET interface with the same settings.

Fast DPDK prefilters can be placed in front of the Suricata to handle safe/unwanted traffic with no need to interrupt Suricata. Full support of the C programming language allows the implementation of complex filters and bypass strategies. The prefilter can then contain, for example, a machine learning model that would acquire the information directly from Suricata output. Additionally, prefilters could either communicate with the hardware-accelerated NICs or serve as a platform for rapid prototyping of HW offloads.

The talk presents experiences with DPDK within Suricata and introduces new acceleration possibilities. A DPDK capture interface alone not only improved the capabilities of packet reception but also paved the way for new opportunities in the integration of other applications within Suricata.

3:15-3:30

Break

3:30-4:00

New for Suricata 7: Conditional PCAP (Pre-recorded with live Q&A)

Eric Leblond

Suricata has had full PCAP capture capability for years. But this has proven to be a really costly feature due to its intense performance and storage requirements. Suricata 7 introduces a new conditional capture mode that limits the PCAP storage of traffic to a selected and time-bound portion of the flow. This dramatically reduces the cost of storing PCAPs without sacrificing the benefits of having a record of the important traffic associated with an event.

In this talk, we will explore the various modes available and explain how to go from JSON alerts to the associated PCAP data. We will also discuss the limitations of this feature to help attendees better understand the best ways to benefit from this new capability.

4:00-4:15

Lightning Talk: Local ETL with Vector and Suricata

Danny Browning

4:15-4:30

Lightning Talk: Boosting Suricata with Datasets (Pre-recorded with live Q&A)

Shivani Bhardwaj

4:30-4:45

Sponsor Spotlight

4:45-5:45

Suricata Roadmap | Deployment

5:45-6:00

Closing

6:00-8:00 pm

Sponsor Reception

Agenda

Thursday, October 21 — Day 2

All times listed are EDT.

8:00-9:15

Continental Breakfast

9:15-9:30

Welcome

9:30-10:15

Web Assembly Deep Dive (Pre-recorded with live Q&A)

Pierre Chifflier

WASM (aka Web Assembly) is a binary instruction format for a stack-based virtual machine. Its goals are to provide a portable, safe (sandboxed) environment for executing low-level bytecode. It has been designed mainly for the web and is supported by most browsers. Even if not officially claiming it, it is a replacement for Flash applications, and represents a game changer: it can be used for interactive games, large applications, etc.

While the primary target is the web, it can also be used in other environments: serverless applications, blockchain contracts, Linux kernel modules, and even malwares. The portability and sandboxing features of WASM also make it a good candidate for a
plugin mechanism.

My talk covers the following:

First we will describe the WASM basics and ecosystem
– what it is (and is not)
– what it looks like (WAT and WASM formats)
– the tools and toolchains

We will explore the runtime environment to explain the main features of WASM (linear memory, execution engine), and focus on the security features (security model, isolation of modules, obfuscation techniques, etc.).

We will then discuss some of the real-world uses of WASM, from legitimate cases to uses by malwares (mostly cryptominers). This will allow presenting opportunities and difficulties for detection tools like Suricata.

Finally, we will present the results of an experiment conducted this year, aiming at using WASM to add a plugin system for Suricata. We will present some feedback on the advantages and drawbacks of WASM in this context for different kinds of users: core developers, plugin developers and end users.

10:15-11:00

Building an Open Source IDS/IPS Service on AWS with Suricata (Pre-recorded with live Q&A)

Nick Coval and Adam Palmer

The OISF and AWS recently worked together on the integration of Suricata and AWS Network Firewall; specifically on the enhancement of the Suricata code to support the Generic Network Virtualization Encapsulation (GENEVE) protocol. Internally, AWS Network Firewall uses the AWS Gateway Load Balancer Service (GWLB) which enables AWS to provide customers with a simple, elastic and scalable firewall service.

The GWLB service launched with support from AWS Marketplace partners. These partners provide network security appliances that enable customers to perform varying levels of packet inspection on flows that pass through them, taking action as necessary and as defined within their configuration. Whilst for some customers, using a partner supplied instance is a preferred choice (perhaps due to existing licensing, expertise or a specific capability), there is a segment of customer that wishes to benefit from all the capabilities that GWLB as a framework provides, but does not have any of the aforementioned considerations. For these customers, embracing open-source capabilities can make sense.

In this talk, we outline how we built a quick-start solution on AWS that creates a Suricata-based solution, powered by GWLB; enabling centralized and distributed deployment models.

11:00-11:15

Break

11:15-11:45

Keeping on Fuzzing and Fixing Suricata (Pre-recorded with live Q&A)

Philippe Antoine

Fuzzing is especially relevant for Suricata, as Suricata parses and processes a vast number of complex formats. Even if it has been used for several years, it keeps on finding bugs in both old and new code.

This talk will cover which improvements and tuning were brought to the fuzzing framework and could be applied to a similar open-source project, and will give some results about the latest bugs found by fuzzing.

11:45-12:30

Making CENTS of Malware Configurations

Jack Mott, Brandon Murphy, and Konstantin Klinger

Malware is increasingly using encryption and TLS for command-and-control network traffic. This increased adoption has resulted in difficulty when creating typical network intrusion detection signatures. However, it is often possible to extract the configuration of a malware sample including DGA seeds, C2 domains/ports, crypto keys, version number, etc. These details can be used to determine what post-exploitation or post-infection network communication can be expected from the malware in later stages of malware execution.

This presentation will demonstrate how to leverage existing extracted configuration parameters from Cape Sandbox to generate Suricata signatures. While this is easy on a per sample basis, any solution should be scalable and enable automatic signature creation for the most common malware families. Our proposed solution, CENTS – Configuration Extraction to Network Traffic Signatures, will demonstrate one method of achieving automated coverage for the most common malware families which use encryption and TLS.

12:30-12:45

Sponsor Spotlight

12:45-1:45

Lunch

1:45-2:30

Unleash Suricata Superpowers with a Splunk App (Pre-recorded with live Q&A)

Eric Leblond

Beginning with the introduction of the EVE JSON output in Suricata 2.0, Splunk users had the raw tools to easily ingest Suricata data, but leveraging the advanced analytics available in Splunk for analyzing application transactions has proven to be more elusive.

After reviewing the relevant Splunk and Suricata capabilities, the presenters will use real-world examples from the Stamus Networks App for Splunk to help you gain deep insight into your network activity and a more accurate assessment of your organization’s security posture.

The Stamus Networks App provides security teams with an easy way to correlate, analyze, search, and gain insights into their overall enterprise network security posture from their Suricata sensors.

The app is open source, free, and currently available for download on Splunkbase.

2:30-3:15

Virtual Meerkat: Tips, Tricks, and Pitfalls for a Virtualized Suricata Experience (Pre-recorded with live Q&A)

Jeremy MountainJohnson

A brief, entry level expedition through setting up Suricata within a virtualized environment. Will cover planning, implementation, common problems, tuning, and tips.

  • Recommended settings in a virtual environment
  • Scoping, planning, and mapping your setup
    • Future scaling considerations
    • Drivers, suricata running mode
    • Network segmentation
    • Suricata bpf, pass rules
  • Operating system and sensor tuning
  • Common methods of getting traffic flow to your sensors
    • port mirroring, USB / pcie passthru, virtual switches
  • Overview of virtualized sensors in production setups
  • Q&A

3:15-3:30

Break

3:30-4:00

Using Suricata to Perform Practical Industrial Control System (ICS) Threat Hunting

Leonard Jacobs and Raul Rodriguez

ICS systems and networks are becoming more of a target for cyber threat adversaries. Tools such as Suricata provide the necessary capabilities to be used in ICS networks to hunt down cyber threats. Cyber Defenders need to learn how to perform threat hunting in ICS environments because it is like an Information Technology network but is more specialized. The audience will first learn an understanding of what is in an industrial control environment then learn how to apply the capabilities of Suricata for practical hunting for cyber threats ICS networks.

4:00-4:15

Lightning Talk: Adding PostgreSQL Support to Suricata (Pre-recorded with live Q&A)

Juliana Fajardini

4:15-4:30

Lightning Talk: Improving Python Tools for Suricata: My Outreachy Internship (Pre-recorded with live Q&A)

Tharushi Jayaskara

4:30-4:45

Sponsor Spotlight

4:45-5:45

Suricata Roadmap | Rules and Analysis

5:45-6:00

Closing

Agenda

Friday, October 22 — Day 3

All times listed are EDT.

8:00-9:15

Continental Breakfast

9:15-9:30

Welcome

9:30-10:15

OISF Consortium and Foundation News

Kelley Misata

10:15-11:00

Evading Suricata Intrusion Detection System: Researching Evasions for Server Message Block (Pre-recorded with live Q&A)

Louis Jacotot and Bastien Del-Valle

The purpose of our paper is to research potential evasions of Suricata for SMB. To contribute to the project with this idea, we set up a lab on a cyber-range and we developed a proxy to transform SMB traffic with evasion methods. First, we researched interesting evasion methods to try. We tried 7 evasion methods and we showed that Suricata was vulnerable to 3 evasions of SMB rules. Moreover, we showed that a flaw affected every Suricata Rust parser. For each working and non working evasion we found, we created regression tests and submitted them to a Suricata test repository. Our study on SMB evasions is not exhaustive and we proposed many ideas for future work.

11:00-11:15

Break

11:15-11:45

Efficient Suricata: Migrating from Millions of Events to Manageable Insights (Pre-recorded with live Q&A)

Peter Manev and Eric Leblond

As powerful as Suricata is, most implementations simply produce too many alerts and not enough insight. A bold new approach is needed to shift from a classic network threat detection model to a more valuable solution providing truly actionable indicators.

In this session, we will provide a practical introduction into extracting the most useful information from an overwhelming amount of raw data provided by the Suricata alert and protocol transaction logs. This approach allows the SOC team to reduce its burden from millions of alerts each day to a few hundred that need investigating.

Presenters will demonstrate this concept using open source SELKS and its commercial cousin.

11:45-12:30

Enabling Suricata in the Cloud at Scale Using DPDK

Jordi Ros-Giralt

In this talk, I will present a solution to run Suricata in the cloud efficiently and at scale. The solution is based on R-Core, a DPDK-based packet path technology designed to deliver packets from the wire to the application while minimizing compute effort. R-Core’s high-performance features include zero copy, multi-core load balancing, NUMA affinity, CPU pinning, zero-locking data structures, and multithreading, among others. R-Core supports an arbitrary number of applications (e.g., Suricata, Zeek, tcpdump, etc.) to be simultaneously connected onto the same traffic feed, avoiding expensive packet copies and saving computational cycles.

By leveraging DPDK’s abstraction API, R-Core enables Suricata to run on DPDK-capable NICs, including both on premise physical appliances as well as virtual NICs available from the main cloud providers, both in virtual machines or containerized environments. In the cloud, R-Core supports network load balancing technology to enable elasticity and automatic scaling of Suricata sensors based on traffic demand.

In the presentation, I plan to present an architecture to run Suricata in the cloud providing elasticity and scalability. I will also demonstrate a cloud deployment of Suricata using R-Core by leveraging the high-performance capabilities of AWS ENA NICs and AWS Elastic Load Balancing (ELB).

12:30-12:45

Sponsor Spotlight

12:45-1:45

Lunch

1:45-2:00

Sponsor Spotlight

2:00-2:30

The State of Meer

Champ Clark III

Meer is a “spooler” for Suricata. This means that Meer takes the EVE output from Suricata and can “route” it to various storage back ends. For example, Meer can send data to databases like MariaDB/MySQL, PostgreSQL, Redis, Elasticsearch, external programs, etc. Meer can also assist with augmenting data by adding extra JSON fields to the Suricata EVE output (DNS records, etc). Meer has been continually developed to be a fast and light weight Suricata spooler. Meer’s development started back in 2018 and this talk will discuss the developments that have taken place, Meer use cases and how it can help you with Suricata data collection. Meer can be found at https://github.com/quadrantsec/meer.

2:30-5:00

Suricata Roadmap | Overflow and Development

5:00-6:00

Closing