Improve Your Network Security With Opensource IDS/IPS

thank you yeah but thanks for having me here in the besides I'm addressed from company Makana and I'm also working in that's always F so just a second for about me I'm living in a small town near Augsburg that's south of Augsburg you Munich I'm an Operations engineer on the day Atma Kandra and at night I'm working on sericata I'm part of the core team of the OSF and yeah you'll find him to padilha at Shadowhunter so anyone here who has heard about sericata already yeah yeah one third half amount of people that's cool okay so for those of you who don't know Supercat up it's a GPL version - open source software written mainly in C

I'm gonna experimenting a little bit of rust in the recent time it's an ids/ips and sm engine and it's backed by the open Information Security foundation there's a non-profit foundation in place on us so all the money and everything we are gathering is put into the RSF and is financing the people who are developing the ricotta and hosting for example sorry Khan which I will point out later on yeah they come in and money is coming out in from construction members such as companies who pay special amount of money and are listed on our website and also from donations and trainings it's really community driven so we have some core tab developers but we also have a

lot of people working on specific parts of the ricotta and really like working with the community and adding new features requested by the community so the most recent version we have is Frida - one and soon like in may may be we will release version 4 so why should you use an IDs or IPs so who is using ids/ips and news network already so not that many people okay so you can analyze the whole traffic of your network the connection center flow so whatever you want to look into you can do a little ricotta and choose merriment as you want to have you can detect suspicious and militia traffic it's one of the main purpose you want to you

according to two for example emerging Fred skies their bright signatures very can detect for example male birth but you can also look for invalid traffic or some sort of traffic that doesn't look real or something that you expect in your network but doesn't really harm your network for example you get a really advanced detailed evaluation of your network so it's not only for incident response and detection of threats it's also learn more about your network what's happening in your network and in my opinion is a valuable addition to your security concept you should rely on just one part that's for sure about adding this to your firewall to other systems like maintenance so I want to

talk a little bit about the future sericata has and I will some of them explain more deeply and in the end of whatever short demo about four or five features we have so so ricotta's multi-threading so our main goal is to have high performance we have scenarios where we have 20 to 40 gig Ethernet connections that are handled by one machine of course you need powerful machine like a and we'll see a processor with like 16 cores for example but so Rakata can handle such huge traffic saying thanks to the multi-threading there's also some have an acceleration and there are some dedicated hardware devices you can buy from other vendors that provide dedicated performance improvements for your network we have a

lot of protocol detection for example HTTP that's the most most important protocol but we also have DNS that's the connection we have to the talk performing we can look into TLS not into the traffic itself since it's encrypted but automated either that's coming up TLS and we already have some parts ready or an SMB and are working to finishing as a be protocol detection is really soon one feature I will show you later on is file extraction so while you're sitting on your network you can try to extract files from the network for example if you have HTTP traffic you can extract their pictures you can extract PDFs or even binaries one nice feature is the eve checks logging output you

will see later on we get a lot of information out of it and then it's your job to make the best out of it maybe put it into an out stake or Splunk but you get a lot of information you see later on how they look will look like yeah we were scripting is also a nice feature if you say okay I'm not fine with the signatures that's too low well I want to do much more of my traffic I want to analyze more I want to add some sort of more logical parts into the signatures I want to check you can do the students with Lua scripting we also have to pick up and lysis so you can

feed a PK Pinterest a ricotta and run the same stuff you would for example if you attention to interface so we've seen in the last talk how you can work with T shark and TCP Tom what you get out of courtesy PETA he brought in his in this example you can feed it into the ricotta and do more detection on the traffic we support IP reputation so if you want to gather some information about specific IP addresses and want to yeah this theme is good bad you can include this as well as ricotta have a huge config file especially you use Cosby try to document a lot into the config file itself you can do a lot of customizations so if

something is not working as you expect try to conflict I see if you have find some parameter to sue the ricotta to your environment since there's so many things you might need to achieve performance price we try to add as much as possible we are working with two people from emerging threats they are providing us with optimized maybre signatures they are not just working for the ricotta they are also working with snot but they use to specific hubris ricotta has implemented so if you want to use optimized signatures you might go of the emerging threat skies and a lot of more features so if you're looking into how can i acquire the packets on my

network do you have some options to choose from so if you're having a linux based system I would recommend using a 1/2 packet especially if you using quite modern Linux distribution since F peg it were for free was released and being included to support and makes PF bring obsolete PF ring is another option to packet capture there's also a commercial version called hearing Cyril coffee that's also bypassing the kernel but from our view AF peg it already with version 3 can achieve the same amount of performance nowadays with Linux on every system you can use to blip pcap but it's the most slow version so if you're running for 10 or 20 gigabyte you don't want to use the PCAT

version and for the PSD guys for example people have PF since are using a VST there we have net bet which is quite similar to a packet so when you think about where should I put sericata well you have several options if your focus is detection you might use a switch with a mirror pod who's copying the whole traffic and then you will send it into a dedicated machine for sericata doesn't interfere the traffic and you can analyze what's on your network you can use a tap device which is a more expensive way to do it point Sevilla or you just use your normal gateway and have a dedicated Nick that's working on a system that's within the traffic you

have and let interfere with and then inspect the traffic you have on your gateway so that's up to you whatever you prefer if you want to go for the prevention world jewry prevention you can either use AF packet or net map then you have to use two and a network interfaces and you attach one for the incoming room for the outgoing you'd have to forward all the traffic if you want to do more packet with the ring while you're doing prevention mode you can use two nfq natural the IP tables target it's slower than the first one with AF packet but you have two option to perform for example discard some packages that you say okay I don't want

to inspect anything else HTTP traffic for example so PK panels is quite easy you can just runs to ricotta with this command - air pkf command and it's running the pcap I will show you later on or you can use a UNIX socket mode that's a little bit more complex you run sericata it's listening on a UNIX socket and you can feed the UNIX socket with several P caps for example you can put in 100 P cap since the ricotta is working on them you also get some output some information about the Peg's pcaps at what point you are already so it's a more advanced rule so when you're talking about signatures and so ricotta I want to show a small

example I have a signature might look like so you see the first part is to alert that's the keyword for the action so the normal one would be a lot so if this happens show me a lot in my log files you can also choose drop and the prevention mode saying okay this happens in my tracking I want to drop this traffic you can also reject the traffic and just also come up to the COS writing saying okay just traffic or disappear ages coming just past the traffic then you get the proper call in this example be looking for HTTP traffic then you have the information the meter data about source IP destination IP and of course

use in this example you're using variable with home net where you have included for example your FC conformed local network saying okay I'm using any source of port and I want to see every HTTP traffic just going anywhere in the Internet we fit the brackets you have to signature itself you have a message that's just for logging so if this rule hits you see how going basic off encrypted detected just the part that what you see in your file then we want to make sure that the flow is established to the server then we're looking at the content itself as you can see we're looking for alpha relation basic and some dedicated parts of the

payload we also can say okay it must be within 32 bytes and we want to lower the threshold for example we don't want to see this every second all the time so we say okay count it once only 300 seconds so your lot won't get fooled with all the signatures if they're sitting all the time yeah reference class time and sit also metadata for the signature itself thus it is helping if you want to talk with the people for me much impress for example saying hey I have a false positive this is to sit idie just a problematic rule so that will help for that fine extraction so as I told you is the ricotta can expect files

and it's quite easy if you're using HTTP your SMTP you can say okay I have HTTP traffic and I'm interested in trying to detect licious files I want to fire-safe those files out you also get the meter data with two files and this is a simple rule again you want to trigger an alert with HTTP traffic now this case you don't care I want a kid presence use what port is use you have a message of cake store all the files and you just take five store and it's doing its job you don't want to run this on your network unless you have a small network since it's storing all the files coming through the network but just that you

get an idea how easy it is to to use the feature if you go to the pros protocol detection so Ricardo's offering several hybrids dedicated to each protocol for example for HTTP you can try to mention the well you can try to mention a method the user agent for DNS you can imagine the query you have seen or the response and with field as you can look into the assert sub check the fingerprint and all you see from the unencrypted part of the TLS connection so for example we have one rule that triggered there's the small one-liner okay it's more lines on the slide but in your system it will be one line so in

this example a rule did trigger so we see the timestamp we see the s ID of the of the rule that trigger then the description it's the message response in 84 emoji FETs may have a user agent a classification okay that's a signature for network detection that there was a mail were detected and it was TCP traffic coming from dead I it's also people that saw support and it was sent to this IP and the HTTP port 80 if you want to have just this one line just use the fat fast lock and you're fine to go but if you want to have more information you go for the if JSON output so that's the same rule the trigger but much more

information again you have to timestamp but now you also get the flow ID this is important later on for the demo you see the event type alert so in the demo I will show you we have different meant type so event type alert is what you see in a signature and we also have a vent type for the dedicated protocol we have event type for the stats housey ricotta's performing in all itself you get the meter that again IP supports but you also get within our more details for example you see on a lower part its HTTP and it's looking in more detail so we get the host name that was used we're getting the URL this is used we get the

user agent the method the protocol and so on so it's quite verbose but depending on your setup you might really want to look into details so if you want to use the ricotta I want to give you some considerations you need to finger especially if we want are looking for the hardware as I said can now we have like 10 to 20 gigabyte keep Ethernet working like a museum processor if you're working on some setup so 100 Gig the limiting factors of a CPU and network card especially in regards to the traffic in a bad words depending on how many rules and signatures you are using it's the memory that's limiting if you're using a lot of logging and

outputs of course you might want to see a few attached SSAT instead of a normal hard disk and you need to think today we want to use the IDS mode or the IPS mode interfering with the traffic in IPS mode is much more hot and more limiting to the hardware than idea Simone you can also use additional tools for analyzing the locks you get lucky aggregation will diagnose blank it's easy to use we also support Redis for example and you might want to add a tool for resetting management if you want to have want to get more information about sericata I pointed out the documentation red line for issue tracking with a mailing list you also active I see Network refers to

ricotta OSF itself is offering trainings on example in Heidelberg in March I've been at the training we offered for people there and also the company I'm working on my cameras offering consulting I also want to point out the surah Khan is coming up in Prak this year in November there's also a training before the so recon to call for papers are still open so if you're doing anything mustn't be about to recut themself or something related to ids/ips on all that stuff feel free to look at our site and see if you want to submit the paper from Zurich on you would really be glad if you join us there so at some time for demo so for example

this is just a simple example I'm running so ricotta on a pcap I've recorded yesterday I'm pointing out the config file I'm pointing out the peak app I'm using and I'm having a dedicated rule file so it's quite fast so ricotta has been running and now we want to look into what file I have extracted that's the fire I've got from the HTTP traffic I also get a meta data for example you can see it a timestamp the IP address destination IP is small sorry okay like this can everyone read that yeah so as you can see you get the source IP destination IP the HTTP and also the file name and it's using lip magic to

determine what sort of file it is by the way it was just an W get command not that special

just need to copy this one I will show you two outputs from the so this is the line I have talked about just one line this alert the trigger and extract the files with the relevant metadata and this is the same alert but now I'm looking in to the flow ID I'm using to check you command which is helpful if you playing around with JSON output and you see there's a lot of output just a quick look at it so you have again the timestamp and all the relevant metadata at the bottom you see just cute animals that's the HTTP part and as I already told you we have a dedicated event type HTTP so everything

here it's just this is not part of the alert but it's telling us about all happening flow relevant to http wifted with that flow a network flow we also have to event type file info as you can see here and the event type dns that was the initial request for this website and even the stats on the bottom how many packets have been proceed normally we would see if there package size two drops so we get a lot of information out of it yeah so it's quite easy to run the ricotta and handle SP caps I put it from the same on for example my interface on my wireless card and 2000 you get and

you would have seen the same but I wasn't sure if the network is working so it's easier to showcase that before pcap so thanks any questions [Applause] questions okay yeah I miss two things when the signatures of the traffic of the captures are you providing any kind of signatures like this digit like a shower and the sign they captures for example the image do you mean the the files that are extracted here yeah we offer md5 and now let's check something so you can add this helpful as well so you can make sure that's the same fight every time for example comparative Europe another output on another place and their output bullets yes phone but

also for example syslog-ng yeah you can you can ask for example for the novel's ricotta output the most verbose output is the one of chase it that's the won't be promoting the most mm-hmm did you stop it's hard to tell the depending on your own your hopper and your network cuts you might even not recognize the delay but if you have a lot of traffic and a slow heart rate you might recognize to like 100 200 milliseconds so do you really depends on your heart there and how many rule says you're using if you're just rooting ten rules and it's passing quite fast a fee so it's hard to tell if you ever have quite

a fast hopper and the normal setting you should recognize the delay it's very close small body I have set up so you won't recognize the delay and I have set ups maybe we can recognize the delay that's how to tell I you used a memory cache for packets yeah packets if you want to look into the flow since you you're looking just her two packets of concepts on yourself Lauren detection yeah it's cool yeah you can configure him to pick out a lot of the parameters for example if you want to exact price from HTTP you can define the request response body limit so you can say okay I don't want to look into is bigger than one megabyte for example

since my decrease the performance I am sendi ideas so that pipes a lot of similarities bro so Rho has more features about for example if you want to add your own protocol detection it's easier with pros and but from the networking side of what you can see in extract besides the protocol detection icon we're quite similar so we also have some setups where people are using to ricotta and parole and to see if you see some sort of mismatch with the data but yeah that's some thank you [Applause]