3rd Annual SuriCon Agenda

Wednesday, November 15

Victor is one of the founders of OISF and a member of its Core Team.

ABSTRACT: Suricata has drawn worldwide interest and acclaim through its extensive network security featureset, stellar performance envelope, and active schedule for new features and functionality. Over time, there are not only performance enhancements to the engine itself, but additionally new features and inspection capabilities which make Suricata an even more mission critical application in the modern network security toolset. While the pace of innovation in Suricata makes it a great choice for security researchers, enterprise deployments, and even as the core engine to power OEM vendor security appliances, one area of consistent inquiry is “how does feature / knob X impact the performance of Suricata using real networking scenarios?” Or even understanding “how the enhancements introduced in one version of Suricata trend historically overtime? — Not only across a simple metric like throughput, but also more advanced factors like session setup time, latency, PPS, max concurrent sessions and more.” In this talk we will seek to demystify Suricata’s performance across many releases/features, present our results with lessons learned, and share our methodology so that anyone with the appropriate tools can reproduce.

ABSTRACT: IDS is not dead. It is still alive and continually evolving into the next generation of security tools. Call it intrusion detection, breach detection, or threat hunting, the next wave of opportunity for detection in cybersecurity is with ML. Given the ever-growing volume of security events that analysts handle each day, ML is ideally suited to tackle challenges like reducing false positives, detecting zero-day attacks, and driving automation.

Unlike signature-based rules that become irrelevant over time, ML algorithms are designed to learn and continually improve with more data. In this talk, Randy will (re)introduce Mobster, a lightweight ML framework designed to operate with Suricata as a cohort. To appreciate the magic, he will demonstrate a simple, yet effective, DGA classifier to detect and dynamically update the rule engine’s reputation list of IP.

Grab a bite and network with your fellow attendees.

ABSTRACT: Criminals distribute malware through wide-scale methods and targeted attacks. This presentation reviews recent trends in malware distribution, focusing on detection through network security monitoring. In recent years, the most news-worthy trend is the prevalence of ransomware. From there, the discussion turns to three common distribution vectors: email, social media, and the web. Examining suspicious network activity is a key component of investigating possible malware infections. A network security monitoring solution like Suricata is key to reviewing your organization’s traffic. This presentation explores two phases of any investigation. First is the implication of signature hits on network traffic for an initial infection. Next is the significance of valid signature hits on post-infection activity. The talk wraps up with prevention strategies and the importance of monitoring your organization’s network traffic.

ABSTRACT: Round 2 of my presentation from last year’s Suricon in Washington, DC. Lots of great visualization, advanced security analytics, more analysis of the Mirai botnet and other threats attacking my honeypot between then and now. I will cover detecting various types of threats eg: ransomware, botnets, insider threats, spam activity.

ABSTRACT: Despite being known for a long time, memory violations are still a very important cause of security problems in low-level programming languages containing data parsers. We address this problem by proposing a pragmatic solution to fix not only bugs, but class of bugs. First, using a fast and safe language such as Rust, and then using a parser combinator. We discuss the advantages and difficulties of this solution, and we present two cases of how to implement safe parsers and insert them in large C projects. The implementation is provided as a set of parsers and projects in the Rust language.

ABSTRACT: Suricata is a CPU bound application, its performance is hence affected by the number of processed packets. For years, Suricata performance has been improved by offloading selected tasks or using accelerated packet capture techniques that overcome typical operating system bottlenecks as well as reducing CPU cycles necessary to process a packet flow. In order to reduce the ingress rate, packet filtering techniques have been used with limited success, since filtering rules are static. It would be desirable for Suricata to directly instruct the packet capture system to drop or pass through selected packet flows. This technique, named flow offload, is currently implemented in Suricata in the NFQUEUE module, but unfortunately it does not significantly improve the overall performance.

This talk covers the implementation of PF_RING enabled hardware flow shunting on Accolade 10/40/100 Gbit network adapters. By exploiting the Accolade hardware-based flow classification engine, it is possible to request the network adapter to drop or forward packets from selected flows when flow shunting mode is enabled in Suricata. Depending on the NIC model, it is possible to offload up to 16 or 32 million active flows in hardware. Validation performed on real user traffic has demonstrated that the heavy flows affecting Suricata performance, are usually large downloads or video streams. By enabling flow shunting on the adapter, these heavy flows are dropped by hardware. The use of this technique makes it possible to combine both packet capture acceleration and hardware flow offload, and to enable Suricata to perform at 40 and 100 Gbps.

ABSTRACT: This will be a 4 person joint presentation about how we are approaching writing signatures for Suricata 4.0 and all the new features. Lots of “here’s how we used to do it for 1.3, here’s how we can do it now.”

Wrap-up of the first day of events.

More information to come.

Thursday, November 16

Eat and mingle.

ABSTRACT: When crafting IDS/IPS rules for engines such as Suricata, it is imperative that the rules behave and perform as expected. To validate this, testing must be performed; but often capturing the malicious or applicable traffic can be difficult. And even when a pcap is available or saved, testing IDS coverage with a current ruleset on one or more IDS devices can be onerous. This talk discusses the design and use of two tools — “Flowsynth” and “Dalton” — that allow for the easy creation and testing of network packet captures against Suricata and other IDS devices.

Flowsynth is a tool for rapidly modeling network traffic and generating libpcap formatted packet captures. While at its core Flowysynth is a glorified wrapper for Scapy, the input for Flowsynth is a text-based, structured, yet easy to create and understand, intermediate language that allows for programmatic network flow definitions as well as ad hoc and custom network traffic creation. Furthermore, a web-based front end for Flowsynth will be demonstrated, showing how simple and complicated network flows can be easily created in a matter of minutes if not seconds.

Dalton is a system that allows a user to quickly and easily run pcaps against an IDS of his or her choice (e.g. Suricata, Snort) using an existing ruleset and/or bespoke rules. Dalon supports an API but is most commonly utilized via a web interface that provides immediate and easily navigable feedback on submitted jobs. The two most common uses of Dalton are for testing rulesets (e.g. “what rules does this pcap trigger?”) and for developing/troubleshooting signatures. Custom per-job configurations (e.g. suricata.yaml) are supported, allowing for easy testing of configuration changes, variable changes, and/or IDS engine behavior as well.

ABSTRACT: The presentation will be broken down into how a security engineer or cyber security analyst can tune their Suricata IDS alerts given that IDS is already logging to Splunk. The presentation will not be about engineering or setup of the IDS to log to Splunk, or how to configure Splunk apps to triage Suricata IDS alerts. This will be an overview for monitoring, tuning and a tool / dashboard for cyber security analysts to better triage IDS signatures firing within their environment. The audience of the presentation should be cyber security managers, cyber security analysts, cyber security engineers and those interested in building custom cyber security dashboards. This discussion will not be vendor focused or specific to any IDS products. An appendix of scripts, regexes, splunk queries, and technical details can be provided if this presentation is accepted. Please take note that a large percentage of this presentation will be a walkthrough of the dashboard / tool I’ve custom built to triage Suricata IDS alerts.

ABSTRACT: Many ICS protocols are binary based, stateless, and without authentication abilities. This presents a challenge for hardware-based devices which may be legacy or have poor protocol parsing abilities. We will discuss specific security concerns with Modbus, a ubiquitous ICS protocol in use throughout the world today. Published in its original form almost 40 years ago, this serial-based protocol has evolved slightly over the years into the more modern Modbus/TCP protocol and now represents a serious attack surface. We’ll also look at ways to enhance the Modbus parsing engine within Suricata to help detect some of these threats.

ABSTRACT: Thales Communications & Security deliver products to customers in order to enhance their IT security. IP Probe is one of these products. Our aim is an IP probe with at least 10 Gigabits IP flow capacity. We have decided to build our architecture around Suricata versus other existing solutions because we know this software was built since day 1 with this objective.

Building just a product with Suricata over a basic Linux distribution is not enough to provide the ultimate solution to protect against attacks on the network and on the appliance itself. At minima we had to build our solution based on GNU/Linux hardening best practices. But in order to improve the security of the probe, we did our architecture design using research paper about the subject of hardened IP probes. We have based our solution on the containers segmentation principles: one container per application. My goal is to present our use case for a designer and tester point of view and explain the way we have built our Suricata appliance with LXC containers and an hardened distribution. Our probe uses most of Suricata features (file storage, NSM, HTTP management, high capacity). Around Suricata, we add proprietary applications in other containers. They are using metadata and file extraction capacity of Suricata engine. All these applications run within the same hardware appliance.”

ABSTRACT: A follow up of our first SEPTun article and presentation at SuriCon 2016. Extreme techniques, tuning tips, and lessons learned for squeezing the best performance out of your Suricata 4.+ environment.

ABSTRACT: Suricata permits to give an overview about what happens in your networks thanks to the logging mechanisms already implemented. During this year I have made some improvements to log more information. I will cover the current state of logging in Suricata and show also the enhancements I have done showing which benefits an end-user can obtain. For example, you will be able to: Add more information about http request/response body, log DNS information when an alert is fired up, get stats about your ruleset, and other features that will be presented during the talk.

ABSTRACT: This talk explores the various ways and methods that Emerging Threats IDS rules approach writing signatures for modern non-malware attacks such as Credential Phishing and Fake Tech Support. Over the past year+ of writing lots of phishing sigs, I have a bunch of techniques that have been successful in detecting social engineering attacks en masse.

ABSTRACT: We want to do network intrusion detection right. Two of the most popular tools available as opensource projects, Snort and Suricata, define their analysis from signatures to trigger an alert. The attack source is usually defined as the source of the stream triggering the alert. This paper addresses the resulting problems, for example to automate the analysis or find compromission chains. The talk will explain how to improve the IDS signatures, as well as the benefits. We use Suricata to demonstrate the benefits in term of analysis and visualization.

Wrap-up of the second day of events.

More information to come.

Friday, November 17

Eat and mingle.

ABSTRACT Have you ever wondered how to deploy NSM in AWS? This talk will walk you through our journey to the cloud, with Suricata installed and monitoring the network traffic. I will share the design we used, how we deploy, care and feed little meerkats, lost in the fog. How to ship logs back and what the AWS design should look like. What kind of challenges you will face, how to solve them, what is special and unique about vaporized monitoring. Some performance testing results will be published as well. All of the supporting code will land on github for you to enjoy.

ABSTRACT I’ve been downloading malware pcaps from (http://www.malware-traffic-analysis.net/) running those through Suricata to see which emerging threats rules fire, analyzing results in Splunk. With Splunk, I can determine if Suricata alerted for a specific IOC by looking not just at the alert but everything in eve.json to see if there are better signatures/Indicators of Compromise. I can iteratively make changes to my signatures, for specific threats targeting my enterprise. A second option is to use this technique as a training tool for introductory network and malware analysis. Sometimes it is really difficult to “see” bad data as a newbie security analyst and learn from it. Using Suricata and Splunk you could visualize the data easily and get “free” alerting in the alert event type to start understanding how Suricata works and what data an IPS/IDS is capable of logging.

Wrap-up of the third and final day of events.