suricata - netfilterworkshop.netfilter.org/.../1f/eric_leblond_ids-suricata.pdf · 2013-03-21 ·...
TRANSCRIPT
![Page 1: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/1.jpg)
Suricata
Éric Leblond / Victor Julien
OISF
March 12, 2013
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 1 / 41
![Page 2: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/2.jpg)
1 SuricataEcosystemGoals of the projectFeaturesAdvanced functionalities
2 IPSIPS basicsStream inlineIPS advanced functions
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 2 / 41
![Page 3: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/3.jpg)
IDS? IPS?
System to uncover malicious/unwanted activity on your network byinspecting the network traffic.
IDS(Network) Intrusion Detection SystemPassive, it only looks and alerts the adminCompare to security camera
IPS(Network) Intrusion Prevention SystemActive, tries to prevent badness from happeningCompare to security checkpoint
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 3 / 41
![Page 4: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/4.jpg)
Suricata reconstruction and normalization
https://home.regit.org/~regit/decomp-en.svg
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 4 / 41
![Page 5: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/5.jpg)
Similar projects
BroDifferent technology (capture oriented)Statistical studyScriptingComplementary
SnortEquivalentCompatibleCompeting project
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 5 / 41
![Page 6: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/6.jpg)
Suricata vs Snort
SuricataDriven by a foundationMulti-threadedNative IPSAdvanced functions(flowint, libHTP, LuaJITscripting)PF_RING support, CUDAsupportModern and modular codeYoung but dynamic
SnortDeveloped by SourcefireMulti-processIPS supportSO ruleset (advanced logic+ perf but closed)No hardware accelerationOld code10 years of experience
Independant study:http://www.aldeid.com/index.php/Suricata-vs-snort
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 6 / 41
![Page 7: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/7.jpg)
Suricata with Snort ruleset
Not optimisedDon’t use any advanced features
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 7 / 41
![Page 8: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/8.jpg)
Suricata with dedicated ruleset
Uses Suricata optimised detectionUses Suricata advanced keywordsCan get one for free fromhttp://www.emergingthreats.net/
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 8 / 41
![Page 9: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/9.jpg)
About OISF
Open Information Security Foundationhttp://www.openinfosecfoundation.org
Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:
Paying DevelopersFinancial support of related projects (barnyard2)Board which oversees foundation managementRoadmap is defined in public brainstorm sessions
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 9 / 41
![Page 10: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/10.jpg)
About OISF
Open Information Security Foundationhttp://www.openinfosecfoundation.org
Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:
Paying Developers
Financial support of related projects (barnyard2)Board which oversees foundation managementRoadmap is defined in public brainstorm sessions
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 9 / 41
![Page 11: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/11.jpg)
About OISF
Open Information Security Foundationhttp://www.openinfosecfoundation.org
Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:
Paying DevelopersFinancial support of related projects (barnyard2)
Board which oversees foundation managementRoadmap is defined in public brainstorm sessions
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 9 / 41
![Page 12: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/12.jpg)
About OISF
Open Information Security Foundationhttp://www.openinfosecfoundation.org
Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:
Paying DevelopersFinancial support of related projects (barnyard2)Board which oversees foundation management
Roadmap is defined in public brainstorm sessions
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 9 / 41
![Page 13: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/13.jpg)
About OISF
Open Information Security Foundationhttp://www.openinfosecfoundation.org
Non-profit foundation organized to build a next generation IDS/IPSengineFunded by US Governement (DHS, Navy)Development of an Open Source IDS/IPS:
Paying DevelopersFinancial support of related projects (barnyard2)Board which oversees foundation managementRoadmap is defined in public brainstorm sessions
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 9 / 41
![Page 14: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/14.jpg)
About OISF
Consortium membersHOST program: Homeland Open Security TechnologyPlatinium level: BAE Systems, nPulseGold level: Tilera, Endace, Emerging ThreatsBronze level: SRC, Everis, NitroSecurity, Myricom, EmulexTechnology partner: Napatech, Nvidia
DevelopersLead: Victor JulienCore Developers: Anoop Saldanha, Eric LeblondDevelopers: serveral from consortium members, community.Suricata has been created by about 35 developers so far.
BoardProject leader: Matt JonkmanRichard Bejtlich, Dr. Jose Nazario, Joel Ebrahimi, Marc Norton,Stuart Wilson
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 10 / 41
![Page 15: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/15.jpg)
About OISF
Consortium membersHOST program: Homeland Open Security TechnologyPlatinium level: BAE Systems, nPulseGold level: Tilera, Endace, Emerging ThreatsBronze level: SRC, Everis, NitroSecurity, Myricom, EmulexTechnology partner: Napatech, Nvidia
DevelopersLead: Victor JulienCore Developers: Anoop Saldanha, Eric LeblondDevelopers: serveral from consortium members, community.Suricata has been created by about 35 developers so far.
BoardProject leader: Matt JonkmanRichard Bejtlich, Dr. Jose Nazario, Joel Ebrahimi, Marc Norton,Stuart Wilson
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 10 / 41
![Page 16: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/16.jpg)
About OISF
Consortium membersHOST program: Homeland Open Security TechnologyPlatinium level: BAE Systems, nPulseGold level: Tilera, Endace, Emerging ThreatsBronze level: SRC, Everis, NitroSecurity, Myricom, EmulexTechnology partner: Napatech, Nvidia
DevelopersLead: Victor JulienCore Developers: Anoop Saldanha, Eric LeblondDevelopers: serveral from consortium members, community.Suricata has been created by about 35 developers so far.
BoardProject leader: Matt JonkmanRichard Bejtlich, Dr. Jose Nazario, Joel Ebrahimi, Marc Norton,Stuart Wilson
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 10 / 41
![Page 17: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/17.jpg)
Goals
Bring new technologies to IDSPerformance: Multi-Threading, Hardware accelerationOpen source: community driven (GPLv2)Support of Linux / *BSD / Mac OSX / Windows
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 11 / 41
![Page 18: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/18.jpg)
Features
IPv6 native support
Multi-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detectionAdvanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)IP Reputation and GeoIP
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41
![Page 19: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/19.jpg)
Features
IPv6 native supportMulti-threaded
Native hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detectionAdvanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)IP Reputation and GeoIP
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41
![Page 20: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/20.jpg)
Features
IPv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)
Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detectionAdvanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)IP Reputation and GeoIP
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41
![Page 21: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/21.jpg)
Features
IPv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisation
Optimized support of IP only testsIPS is native (inline mode)Protocol detectionAdvanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)IP Reputation and GeoIP
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41
![Page 22: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/22.jpg)
Features
IPv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only tests
IPS is native (inline mode)Protocol detectionAdvanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)IP Reputation and GeoIP
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41
![Page 23: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/23.jpg)
Features
IPv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)
Protocol detectionAdvanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)IP Reputation and GeoIP
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41
![Page 24: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/24.jpg)
Features
IPv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detection
Advanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)IP Reputation and GeoIP
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41
![Page 25: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/25.jpg)
Features
IPv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detectionAdvanced HTTP and TLS support
File extractionLuaJIT scripting (experimental)IP Reputation and GeoIP
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41
![Page 26: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/26.jpg)
Features
IPv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detectionAdvanced HTTP and TLS supportFile extraction
LuaJIT scripting (experimental)IP Reputation and GeoIP
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41
![Page 27: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/27.jpg)
Features
IPv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detectionAdvanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)
IP Reputation and GeoIP
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41
![Page 28: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/28.jpg)
Features
IPv6 native supportMulti-threadedNative hardware acceleration (PF_RING, Napatech, Endace,Myricom)Numerous options for performance optimisationOptimized support of IP only testsIPS is native (inline mode)Protocol detectionAdvanced HTTP and TLS supportFile extractionLuaJIT scripting (experimental)IP Reputation and GeoIP
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 12 / 41
![Page 29: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/29.jpg)
Suricata Ecosystem
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 13 / 41
![Page 30: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/30.jpg)
Example of high performance Suricata setup
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 14 / 41
![Page 31: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/31.jpg)
Entry modules
IDSPCAP
live, multi interfaceoffline support
AF_PACKETPF_RING: kernel level, http://www.ntop.org/PF_RING.htmlCapture card support: Napatech, Myricom, Endace
IPSNFQueue:
Linux: multi-queue, advanced supportAF_PACKET:
Linux: bridgeipfw :
FreeBSD, NetBSD, Mac OSX
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 15 / 41
![Page 32: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/32.jpg)
Entry modules
IDSPCAP
live, multi interfaceoffline support
AF_PACKETPF_RING: kernel level, http://www.ntop.org/PF_RING.htmlCapture card support: Napatech, Myricom, Endace
IPSNFQueue:
Linux: multi-queue, advanced supportAF_PACKET:
Linux: bridgeipfw :
FreeBSD, NetBSD, Mac OSX
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 15 / 41
![Page 33: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/33.jpg)
Output modules
Fastlog (simple alerts)Unified2 log (full alerts, Barnyard2)HTTP log (log in apache-style format)TLS log (log certs)Pcap log (full packet capture to disk)Prelude (IDMEF)File log (files transfered over HTTP)
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 16 / 41
![Page 34: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/34.jpg)
libhtp
Security oriented HTTP parserWritten by Ivan Ristic (ModSecurity, IronBee)Support of several keywords
http_methodhttp_uri & http_raw_urihttp_client_body & http_server_bodyhttp_header & http_raw_headerhttp_cookieserveral more. . .
Able to decode gzip compressed flows
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 17 / 41
![Page 35: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/35.jpg)
Using HTTP features in signature
Signature example: Chat facebook
a l e r t h t t p $HOME_NET any −> $EXTERNAL_NET $HTTP_PORTS \(msg : "ET CHAT Facebook Chat ( send message ) " ; \f l ow : es tab l ished , to_server ; content : "POST" ; http_method ; \content : " / a jax / chat / send . php " ; h t t p _ u r i ; content : " facebook . com" ; ht tp_header ; \c lass type : po l i cy−v i o l a t i o n ; re ference : u r l , doc . emerg ingthreats . net /2010784; \re ference : u r l ,www. emerg ingthreats . net / cgi−bin / cvsweb . cg i / s igs / POLICY / POLICY_Facebook_Chat ; \s i d :2010784; rev : 4 ; \
)
This signature tests:The HTTP method: POSTThe page: /ajax/chat/send.phpThe domain: facebook.com
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 18 / 41
![Page 36: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/36.jpg)
Extraction and inspection of files
Get files from HTTP downloads and uploadsDetect information about the file using libmagic
Type of fileOther detailsAuthor (if available)
A dedicated extension of signature languageSMTP support coming soon
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 19 / 41
![Page 37: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/37.jpg)
Dedicated keywords
filemagic : description of content
a l e r t h t t p any any −> any any (msg : " windows exec " ; \f i l e m a g i c : " executable f o r MS Windows " ; s id : 1 ; rev : 1 ; )
filestore : store file for inspection
a l e r t h t t p any any −> any any (msg : " windows exec " ;f i l e m a g i c : " executable f o r MS Windows " ; \f i l e s t o r e ; s id : 1 ; rev : 1 ; )
fileext : file extension
a l e r t h t t p any any −> any any (msg : " jpg claimed , but not jpg f i l e " ; \f i l e e x t : " jpg " ; \f i l e m a g i c : ! "JPEG image data " ; s id : 1 ; rev : 1 ; )
filename : file name
a l e r t h t t p any any −> any any (msg : " s e n s i t i v e f i l e leak " ;f i lename : " sec re t " ; s id : 1 ; rev : 1 ; )
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 20 / 41
![Page 38: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/38.jpg)
Examples
Files sending on a server only accepting PDF
a l e r t h t t p $EXTERNAL_NET −> $WEBSERVER any (msg : " susp ic ious upload " ; \f l ow : es tab l ished , to_server ; content : "POST" http_method ; \content : " / upload . php " ; h t t p _ u r i ; \f i l e m a g i c : ! "PDF document " ; \f i l e s t o r e ; s id : 1 ; rev : 1 ; )
Private keys in the wild
a l e r t h t t p $HOME_NET any −> $EXTERNAL_NET any (msg : " outgoing p r i v a t e key " ; \f i l e m a g i c : "RSA p r i v a t e key " ; s id : 1 ; rev : 1 ; )
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 21 / 41
![Page 39: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/39.jpg)
Disk storage
Every file can be stored to diskwith a metadata file
Disk usage limit can be setScripts for looking up files / file md5’s at Virus Total and others
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 22 / 41
![Page 40: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/40.jpg)
Luajit rules
Rule language is really simpleSome tests are really difficult to write
Logic can be obtained via flowbit usageBut numerous rules are necessary
A true language can permit toSimplify some thingsRealize new things
Experimental rules: https://github.com/EmergingThreats/et-luajit-scripts
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 23 / 41
![Page 41: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/41.jpg)
Lua
Declaring a rule
a l e r t tcp any any −> any any (msg : " Lua r u l e " ; l u a j i t : t e s t . lua ; s id : 1 ; )
An example script
f u n c t i o n i n i t ( args )l o c a l needs = { }needs [ " h t t p . reques t_ l i ne " ] = t o s t r i n g ( t r ue )r e t u r n needs
end−− match i f packet and payload both conta in HTTPf u n c t i o n match ( args )
a = t o s t r i n g ( args [ " h t t p . reques t_ l i ne " ] )i f #a > 0 then
i f a : f i n d ( " ^POST%s +/ .∗%. php%s+HTTP/ 1 . 0 $ " ) thenr e t u r n 1
endendr e t u r n 0
end
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 24 / 41
![Page 42: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/42.jpg)
1 SuricataEcosystemGoals of the projectFeaturesAdvanced functionalities
2 IPSIPS basicsStream inlineIPS advanced functions
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 25 / 41
![Page 43: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/43.jpg)
3 major modes
NetfilterUse libnetfilter_queue and NFQUEUEVerdict packet redirected by iptables rulesUp-to-date supportMaximum around 5Gb/s
ipfwUse divert socketDedicated filtering rules must be added
AF_PACKETUse Linux captureEthernet transparent modeExperimental
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 26 / 41
![Page 44: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/44.jpg)
Rules management
The transformationMake some rules start with drop instead of alertA selection must be made
Tool usageRules are updatedA tool is needed to have modifications resist to updatePulledpork: http://code.google.com/p/pulledpork/oinkmaster: http://oinkmaster.sourceforge.net/
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 27 / 41
![Page 45: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/45.jpg)
Stream inline
High level applicative analysis works on a data streamTCP data can be messy
Packets lossPackets retransmitOut of order packets
The IDP S must reconstruct the TCP flow before doing the
applicative analysis
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 28 / 41
![Page 46: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/46.jpg)
Problem
IDS must be the closer possible to what’s received by the targetPacket analysis when reception has been provenACK reception trigger data analysis
IPS must block the packets before they reached the targetThe IDS algorithm will block packet after they go throughAn other approach has to be used
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 29 / 41
![Page 47: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/47.jpg)
IPS as a control point
IPS is a blocking pointIt is representative of what goes throughIt can reconstruct the flows before send them
Suricata implementationReconstruction of data segments at receptionSend reconstructed data to applicative layer analyserTake decision based on dataRewrite packets if necessaryTransmit (possibly modified) packets
Details: http://www.inliniac.net/blog/2011/01/31/suricata-ips-improvements.html
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 30 / 41
![Page 48: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/48.jpg)
IPS as a control point
IPS is a blocking pointIt is representative of what goes throughIt can reconstruct the flows before send them
Suricata implementationReconstruction of data segments at receptionSend reconstructed data to applicative layer analyserTake decision based on dataRewrite packets if necessaryTransmit (possibly modified) packets
Details: http://www.inliniac.net/blog/2011/01/31/suricata-ips-improvements.html
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 30 / 41
![Page 49: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/49.jpg)
IPS as a control point
IPS is a blocking pointIt is representative of what goes throughIt can reconstruct the flows before send them
Suricata implementationReconstruction of data segments at receptionSend reconstructed data to applicative layer analyserTake decision based on dataRewrite packets if necessaryTransmit (possibly modified) packets
Details: http://www.inliniac.net/blog/2011/01/31/suricata-ips-improvements.html
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 30 / 41
![Page 50: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/50.jpg)
Suricata in IPS mode
Using a Linux/Netfilter based IPSUse NFQUEUE to send decision to userspaceAll packets of a connection must be seen to SuricataThe brutal way: iptables -A FORWARD -j NFQUEUE
Interaction with the firewallNFQUEUE is a terminal target
An ACCEPT decision will shortcut the whole rulesetThis is the only possible decision but DROP
The previous method is thus incompatible with the existence of aruleset.
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 31 / 41
![Page 51: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/51.jpg)
Suricata in IPS mode
Using a Linux/Netfilter based IPSUse NFQUEUE to send decision to userspaceAll packets of a connection must be seen to SuricataThe brutal way: iptables -A FORWARD -j NFQUEUE
Interaction with the firewallNFQUEUE is a terminal target
An ACCEPT decision will shortcut the whole rulesetThis is the only possible decision but DROP
The previous method is thus incompatible with the existence of aruleset.
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 31 / 41
![Page 52: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/52.jpg)
Living together: the IPS and the firewall case
Classic solutionUse mangle in the PREROUTING or FORWARD chains
The rule is an isolated tableThus no interaction with the rest of the rulesetThis mean we can do "nothing" in theses mangle chains
Alternative solutionUse advanced functionalities of NFQUEUESimulate a non terminal decision ( c© Patrick McHardy)
Details: http://home.regit.org/2011/01/building-a-suricata-compliant-ruleset/
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 32 / 41
![Page 53: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/53.jpg)
Living together: the IPS and the firewall case
Classic solutionUse mangle in the PREROUTING or FORWARD chains
The rule is an isolated tableThus no interaction with the rest of the rulesetThis mean we can do "nothing" in theses mangle chains
Alternative solutionUse advanced functionalities of NFQUEUESimulate a non terminal decision ( c© Patrick McHardy)
Details: http://home.regit.org/2011/01/building-a-suricata-compliant-ruleset/
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 32 / 41
![Page 54: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/54.jpg)
Alternate decision and packet marking
Alternate decisionsNF_REPEAT : send the packet back to the start of the tableNF_QUEUE : send the packet to another queue (chain softwareusing NFQUEUE)
nfq_set_markNew keyword that can be used in signaturePut a Netfilter mark on the packet if the signature matchCan be used in every network stack (QoS, routing, Netfilter)
Details: http://home.regit.org/2011/04/some-new-features-of-ips-mode-in-suricata-1-1beta2/
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 33 / 41
![Page 55: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/55.jpg)
Alternate decision and packet marking
Alternate decisionsNF_REPEAT : send the packet back to the start of the tableNF_QUEUE : send the packet to another queue (chain softwareusing NFQUEUE)
nfq_set_markNew keyword that can be used in signaturePut a Netfilter mark on the packet if the signature matchCan be used in every network stack (QoS, routing, Netfilter)
Details: http://home.regit.org/2011/04/some-new-features-of-ips-mode-in-suricata-1-1beta2/
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 33 / 41
![Page 56: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/56.jpg)
WTF: Word Terminator Flow
ObjectiveFight against Word file transferBecause it is Office is heavy like hellAnd you even have to pay for it
MethodMark packet when a Word file is transferredLimit bandwith with Linux QoS
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 34 / 41
![Page 57: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/57.jpg)
Suricata configuration
The rulea l e r t h t t p any any −> any any ( \
msg : " M ic roso f t Word upload " ; \nfq_set_mark :0 x1 /0 x1 ; \f i l e m a g i c : " Composite Document F i l e V2 Document " ; \s i d :666 ; rev : 1 ; )
Running suricata
s u r i c a t a −q 0 −S word . r u l es
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 35 / 41
![Page 58: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/58.jpg)
Netfilter configuration
Queueing packets
i p t a b l e s − I FORWARD −p tcp −−dpor t 80 − j NFQUEUEi p t a b l e s − I FORWARD −p tcp −−spor t 80 − j NFQUEUE# i p t a b l e s − I OUTPUT −p tcp −−dpor t 80 − j NFQUEUE# i p t a b l e s − I INPUT −p tcp −−spor t 80 − j NFQUEUE
Propagating the mark
i p t a b l e s −A PREROUTING − t mangle − j CONNMARK −−res to re−marki p t a b l e s −A POSTROUTING − t mangle − j CONNMARK −−save−mark# i p t a b l e s −A OUTPUT − t mangle − j CONNMARK −−res to re−mark
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 36 / 41
![Page 59: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/59.jpg)
Linux QoS configuration
Setting up QoS tree
t c qd isc add dev eth0 roo t \handle 1 : htb d e f a u l t 0
t c c lass add dev eth0 parent 1 : \c l a s s i d 1:1 htb \ra te 1kbps c e i l 1kbps
Sending marked packets to their fate
t c f i l t e r add dev eth0 parent 1 : \p ro to co l i p p r i o 1 \handle 1 fw f l o w i d 1:1
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 37 / 41
![Page 60: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/60.jpg)
Evasion technique
Detecting the evasion
a l e r t h t t p any any −> any any ( \msg : " T r i cky M ic roso f t Word upload " ; \nfq_set_mark :0 x2 /0 x2 ; \f i l e e x t : ! " doc " ; \f i l e m a g i c : " Composite Document F i l e V2 Document " ; \f i l e s t o r e ; \s id :667 ; rev : 1 ; )
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 38 / 41
![Page 61: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/61.jpg)
Watching the clever ones
Using ipset to mark packets
i p s e t c reate cheaters hash : i p t imeout 3600i p t a b l e s −A POSTROUTING − t mangle −m mark \
−−mark 0x2 /0 x2 \− j SET −−add−set cheaters src −−e x i s t s
Logging marked packets
i p t a b l e s −A PREROUTING − t raw \−m set −−match−set cheaters src , ds t \− j NFLOG −−nf log−group 1
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 39 / 41
![Page 62: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/62.jpg)
Ulogd to keep the trace
Configuring ulogdUlogd will log packets to a pcap fileWe need to activate a stack in ulogd.conf:plugin="/home/eric/builds/ulogd/lib/ulogd/ulogd_output_PCAP.so"stack=log2:NFLOG,base1:BASE,pcap1:PCAP
Starting ulogd
ulogd −c ulogd . conf
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 40 / 41
![Page 63: Suricata - Netfilterworkshop.netfilter.org/.../1f/Eric_Leblond_IDS-suricata.pdf · 2013-03-21 · Suricata has been created by about 35 developers so far. Board Project leader: Matt](https://reader030.vdocument.in/reader030/viewer/2022040413/5f0aa1227e708231d42c91cb/html5/thumbnails/63.jpg)
Questions
Do you have any questions?
Thanks toOpen Source Days team for accepting this conferenceAll Netfilter developers for their cool work
More informationSuricata website: http://www.suricata-ids.org/Victor’s blog : http://www.inliniac.netEric’s blog : https://home.regit.org
Contact usEric Leblond: [email protected], @Regiteric on twitterVictor Julien: [email protected], @inliniac on twitter
Éric Leblond / Victor Julien (OISF) Suricata March 12, 2013 41 / 41