amsterdamize your firewall
TRANSCRIPT
![Page 1: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/1.jpg)
Amsterdamize your firewall
É. Leblond
Stamus Networks
2016 June 27
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 1 / 27
![Page 2: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/2.jpg)
Éric Leblond
Éric Leblond aka@RegitericNetfitler coreteam andSuricata core developerCo-founder of StamusNetworks
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 2 / 27
![Page 3: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/3.jpg)
Disclaimer
DisclaimerThis talk does not aim to hurt the feeling of Dutch people in theassitance. So it will not cover subjects like certificates authorities orsoccer.
OntkenningKatje poesje Nelletje waar ben je toch geweest? Je hebt verbrand jevelletje je was zo’n aardig beest.
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 3 / 27
![Page 4: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/4.jpg)
Suricata key points
SuricataProtocolanalysis
Port inde-pendant
detection
Metadataextraction
Protocols HTTP
SMTP
TLSDNS
SSH
Intrusiondetection
Signatures
Protocolkeywords
Multi stepattacks
Lua foradvanceanalysis
ArchitectureOutput
JSONRedis
Syslog
Prelude
IDSpcap
afpacket
netmap
IPS
Netfilterafpacket
ipfw
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 4 / 27
![Page 5: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/5.jpg)
SELKS
An installable and live ISOBased on Debian liveA running Suricata configured and manageable via a webinterface
ContenuSuricata: git version
Signature based IDSNetwork Security Monitoring engineOpen source
Elasticsearch: database, full search textLogstash: collect info and store them in ElasticsearchKibana: dashboard interface for data analysisScirius: web interface for suricata ruleset management
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 5 / 27
![Page 6: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/6.jpg)
Docker
Light weight virtualizationContainers based
Use cgroupVarious namespaces
Application repositoryPull an applicationFire itForget it
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 6 / 27
![Page 7: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/7.jpg)
Suricata Docker QA
Buildbot and prscriptA Python system to automate the compile/test cycle to validatecode changes.Prscript is pre Pull Request script:
Known developers have to run it before PRTrigger a series of build in the buildbotAlso some basic functional tests
Docker mode for prscriptBuildbot installed in a docker containerReady to use via prscriptAvailable in docker hubConfiguration in the source
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 7 / 27
![Page 8: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/8.jpg)
Docker compose
OrchestrationCreate distributed applicationsDistributed applications consist of many small applications thatwork together.
PrincipleDefine containers to startBind mount as shared folders/etc/hosts to established relation
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 8 / 27
![Page 9: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/9.jpg)
Amsterdam: SELKS meet Docker
SELKS componentsSuricata: latest releaseELK: latest version including Kibana 4EveboxScirius
DockerUsing ComposeWith official ELK containers
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 9 / 27
![Page 10: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/10.jpg)
Install Amsterdam
Installationp ip i n s t a l l amsterdam# v e r i f y vers ionp ip show amsterdam# create an ins tance i n the ams d i r e c t o r yamsterdam −d ams − i wlan0 setup# s t a r t ins tanceamsterdam −d ams s t a r t
UtilisationPoint your browser to https://localhost/ or on the IP of server ifon an external box.
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 10 / 27
![Page 11: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/11.jpg)
Amsterdamize your firewall
Install Amsterdam on your firewallAmsterdam on an existing firewallSniff one of the network interfaces
Dashboards everywhereFirewall do logsLogs are not in the dashboards
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 11 / 27
![Page 12: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/12.jpg)
At the beginning was syslog
Pre Netfilter daysFlat packet loggingOne line per packet
A lot of informationNon searchable
Not sexyINPUT DROP IN=eth0 OUT= MAC=00:1a:92:05:ee:68:00:b0:8e:83:3b:f0:08:00 SRC=62.212.121.211 DST=91.121.73.151 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=35342 DF PROTO=TCP SPT=59261 DPT=113 WINDOW=5440 RES=0x00 SYN URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=37732 DF PROTO=TCP SPT=443 DPT=48875 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.23 DST=192.168.11.3 LEN=86 TOS=0x00 PREC=0x00 TTL=243 ID=33964 DF PROTO=TCP SPT=80 DPT=49617 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=62292 DF PROTO=TCP SPT=80 DPT=60462 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=22480 DF PROTO=TCP SPT=443 DPT=50876 WINDOW=0 RES=0x00 ACK RST URGP=0
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 12 / 27
![Page 13: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/13.jpg)
At the beginning was syslog
Pre Netfilter daysFlat packet loggingOne line per packet
A lot of informationNon searchable
Not sexyINPUT DROP IN=eth0 OUT= MAC=00:1a:92:05:ee:68:00:b0:8e:83:3b:f0:08:00 SRC=62.212.121.211 DST=91.121.73.151 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=35342 DF PROTO=TCP SPT=59261 DPT=113 WINDOW=5440 RES=0x00 SYN URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=37732 DF PROTO=TCP SPT=443 DPT=48875 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.23 DST=192.168.11.3 LEN=86 TOS=0x00 PREC=0x00 TTL=243 ID=33964 DF PROTO=TCP SPT=80 DPT=49617 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=62292 DF PROTO=TCP SPT=80 DPT=60462 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=22480 DF PROTO=TCP SPT=443 DPT=50876 WINDOW=0 RES=0x00 ACK RST URGP=0
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 12 / 27
![Page 14: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/14.jpg)
Ulogd2: complete Netfilter logging
Ulogd2Interact with the post 2.6.14 librariesRewrite of ulogdSCTP support (developed during @philpraxis talk at hack.lu 2008)multiple output and input through the use of stack
libnetfilter_log (generalized ulog)Packet loggingIPv6 readyFew structural modification
libnetfilter_conntrack (new)Connection tracking loggingAccounting, logging
libnetfilter_nfacct (added recently)High performance accounting
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 13 / 27
![Page 15: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/15.jpg)
Ulogd: output and configuration
Sexify outputSyslog and file outputSQL output: PGSQL, MySQL, SQLiteGraphiteJSON output
Some stack examplesstack=log2:NFLOG,base1:BASE,ifi1:IFINDEX, \
ip2str1:IP2STR,mac2str1:HWHDR,json1:JSONstack=ct1:NFCT,mark1:MARK,ip2str1:IP2STR,pgsql2:PGSQL
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 14 / 27
![Page 16: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/16.jpg)
Plan of Amsterdam
Data directoriesbackupselasticsearch, sciriussuricata
Config files directoriessub directories of config directory: evebox logstash nginx sciriussuricatadocker directorydocker-compose.yml
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 15 / 27
![Page 17: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/17.jpg)
Inject Ulogd2 data in Amsterdam
The suricata data directoryReadable by logstashAny JSON files will be parsed by ulogd2
Inject dataUpdate ulogd2 configurationChange output target:
[ json1 ]sync=1f i l e = " / path / to / amsterdam / s u r i c a t a / ulogd . json "
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 16 / 27
![Page 18: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/18.jpg)
Inject Ulogd2 data in Amsterdam
The suricata data directoryReadable by logstashAny JSON files will be parsed by ulogd2
Inject dataUpdate ulogd2 configurationChange output target:
[ json1 ]sync=1f i l e = " / path / to / amsterdam / s u r i c a t a / ulogd . json "
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 16 / 27
![Page 19: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/19.jpg)
Ulogd2 in Amsterdam
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 17 / 27
![Page 20: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/20.jpg)
Plotting TCP window at start
OS passive fingerprintingValue of TCP window at start is not specified in RFCThe value is a choice of the OSWe can use this for identification
Value for some OSes8192: Windows 7 SP165535: Mac OS X 10.2 - 10.714600: Some Linux5840: Some other Linux
Source: http://noc.to/#Help:TcpSynPacketSignature
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 18 / 27
![Page 21: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/21.jpg)
The facts
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 19 / 27
![Page 22: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/22.jpg)
The facts
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 20 / 27
![Page 23: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/23.jpg)
The facts
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 21 / 27
![Page 24: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/24.jpg)
The facts
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 22 / 27
![Page 25: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/25.jpg)
Suricata meet Netfilter
Ulogd2 as an Amsterdam componentInstall ulogd2 inside a containerGet the netlink message to the container
Docker compose configuration
ulogd :b u i l d : / path / to / ams / docker / ulogdvolumes :
− / path / to / ams / s u r i c a t a : / var / log / s u r i c a t a : rw− / path / to / ams / con f i g / ulogd / ulogd . conf : / e tc / ulogd . conf : ro
cap_add :− NET_ADMIN
net : host
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 23 / 27
![Page 26: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/26.jpg)
Suricata meet Netfilter
Ulogd2 as an Amsterdam componentInstall ulogd2 inside a containerGet the netlink message to the container
Docker compose configuration
ulogd :b u i l d : / path / to / ams / docker / ulogdvolumes :
− / path / to / ams / s u r i c a t a : / var / log / s u r i c a t a : rw− / path / to / ams / con f i g / ulogd / ulogd . conf : / e tc / ulogd . conf : ro
cap_add :− NET_ADMIN
net : host
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 23 / 27
![Page 27: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/27.jpg)
Add ulogd
Ulogd2 Dockerfile
FROM debian : j e s s i e
run apt−get updaterun DEBIAN_FRONTEND= n o n i n t e r a c t i v e apt−get i n s t a l l −y ulogd2
CMD [ " / usr / sb in / ulogd " , "−c " , " / e tc / ulogd . conf " ]
Start the system
amsterdam −d ams s t a r t
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 24 / 27
![Page 28: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/28.jpg)
Elasticsearch 2.0 and backward compatibility
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 25 / 27
![Page 29: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/29.jpg)
Get a fix in Amsterdam
Install logstash plugin: update docker/logstash/Dockerfile
FROM logs tash : 2 . 3
ADD e las t i csea rch−template . json / opt / logs tash / vendor / bundle / j r uby / 1 . 9 / gems / logstash−output−e las t i csea rch −2.5.1− java / l i b / logs tash / outputs / e l a s t i c s e a r c h /
RUN / opt / logs tash / b in / logstash−p lug in i n s t a l l logstash− f i l t e r −de_dot
Install logstash config in config/logstash
f i l t e r {de_dot {
}. . .
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 26 / 27
![Page 30: Amsterdamize your firewall](https://reader035.vdocument.in/reader035/viewer/2022062504/58a2daa71a28ab32438bd0bd/html5/thumbnails/30.jpg)
Conclusion
AmsterdamEasy to install Suricata ecosystemEasy tuning
More informationSuricata: http://www.suricata-ids.org/Amsterdam :https://github.com/StamusNetworks/Amsterdam
Stamus Networks : https://www.stamus-networks.com/
É. Leblond (Stamus Networks) Amsterdamize your firewall 2016 June 27 27 / 27