Evaluation of Intrusion Detection Systems in Ipv6 Networks
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Intrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) Adli Wahid Role of Detection in Security • Part of security monitoring o Violation of security policies o Indicators of compromise o Threat drive or Vulnerability driven o What’s happening on the network? • Rules o Detection is based on rules • Action • What do we do when detection happens? • Alert and Investigate • Drop / Block Perspective – Adversary Tactics and Techniques • Mitre Att&ck Framework https://attack.mitre.org • Tactics – what are the goals of the adversary? • Technique – how do they do it? • SubJect to: o Resources o Platforms • Can we used this knowledge for detection? o Observe Adversaries Behaviour o Techniques, Tactics and Procedures (TTPs) o Deploy in prevention, detection, response Your Adversaries Motives Infrastructure Targets Behaviour Your Assets Your Systems Reference: https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13884/AIR-T07-ATT%26CK-in-Practice-A-Primer-to-Improve-Your-Cyber-Defense-FINAL.pdf Reference: https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13884/AIR-T07-ATT%26CK-in-Practice-A-Primer-to-Improve-Your-Cyber-Defense-FINAL.pdf Making Your Infrastructure Forensics Ready • Detecting known or potentially malicious activities • Part of the incident response plan • If your infrastructure is compromised o Can you answer the questions: what happened and since when? o Can we ‘go back in time’ and how far back? • What information you you need to collect and secure? • Centralized logging Intrusion Detection Systems • An intrusion -
USING LUA for DETECTION and MALWARE TRAFFIC ANALYSIS Dr Chris Wakelin, Senior Threat Analyst, Proofpoint November 2018
MOONSTRUCK: USING LUA FOR DETECTION AND MALWARE TRAFFIC ANALYSIS Dr Chris Wakelin, Senior Threat Analyst, Proofpoint November 2018 1 © 2018 Proofpoint, Inc. Introduction . “Lua” is Portuguese for “Moon” . Small extensible language . Considered “well-engineered” by experts : . “If you read ... you'll see that the Lua team were well aware of many developments in programming languages and were able to choose from among the best ideas. Most designers of popular scripting languages have been amateurs and have not been nearly so well informed ... Lua is superbly designed so that the pieces fit together very nicely, with an excellent power-to-weight ratio ... Lua is superbly engineered. The implementation is just staggeringly good ...” . Currently used in . Wireshark . Games (Angry Birds, Crysis, Far Cry, Gary’s Mod …) . etc. 2 © 2018 Proofpoint, Inc. Introduction . Lua(jit) scripting support added initially in September 2012 . After suggestion by Will Metcalf of Emerging Threats . Lua Output support added March 2014 . Lua flowvar support added in 2013 . but only viewable (logged) from December 2016 3 © 2018 Proofpoint, Inc. Lua vs LuaJIT . LuaJIT – Just-In-Time compiler for Lua . Stable version 2.0.5 . Ubuntu 16.04 LTS included 2.0.4 . Development – version 2.1beta3 (for 18 months …) . Included in Ubuntu 18.04 LTS though . Some caveats . Based on older Lua 5.1 . Latest Lua is version 5.4 . Need to pre-allocate buffers in Suricata . Probably best to stick to Lua 5.1 features 4 © 2018 Proofpoint, Inc. Lua/LuaJIT options Suricata “configure” options (pick one) --enable-lua Enable Lua support --enable-luajit Enable Luajit support suricata.yaml … # Luajit has a strange memory requirement, it's 'states' need to be in the # first 2G of the process' memory. -
Downloads." the Open Information Security Foundation
Performance Testing Suricata The Effect of Configuration Variables On Offline Suricata Performance A Project Completed for CS 6266 Under Jonathon T. Giffin, Assistant Professor, Georgia Institute of Technology by Winston H Messer Project Advisor: Matt Jonkman, President, Open Information Security Foundation December 2011 Messer ii Abstract The Suricata IDS/IPS engine, a viable alternative to Snort, has a multitude of potential configurations. A simplified automated testing system was devised for the purpose of performance testing Suricata in an offline environment. Of the available configuration variables, seventeen were analyzed independently by testing in fifty-six configurations. Of these, three variables were found to have a statistically significant effect on performance: Detect Engine Profile, Multi Pattern Algorithm, and CPU affinity. Acknowledgements In writing the final report on this endeavor, I would like to start by thanking four people who made this project possible: Matt Jonkman, President, Open Information Security Foundation: For allowing me the opportunity to carry out this project under his supervision. Victor Julien, Lead Programmer, Open Information Security Foundation and Anne-Fleur Koolstra, Documentation Specialist, Open Information Security Foundation: For their willingness to share their wisdom and experience of Suricata via email for the past four months. John M. Weathersby, Jr., Executive Director, Open Source Software Institute: For allowing me the use of Institute equipment for the creation of a suitable testing -
Ipv6 Address Space Best Practice Document
IPv6 Address Space Best Practice Document Produced by the CESNET-led working group on IPv6 (CBPD116) Author: Tomáš Podermański August 2011 © Original version 2011 © English translation TERENA 2011 All rights reserved Document No: GN3-NA3-T4-CBPD116 Version / date: 1 August 2011 Original language: Czech Original title: “IPv6 Mýty a skute čnost, díl II. - Adresový prostor” Original version / date: 1 of 1 August 2011 Contact: [email protected] This translated version is based on the Czech v ersion published in the electronic journal, Lupa.cz , on 17 February 2011. Parts of the report may be freely copied, unaltered, provided that the original source is acknowledged and the copyright preserved. The translation of this report has received funding from the European Community's Seventh Framework Programme (FP7/2007-20 13) under grant agreement n° 238875, relating to th e project 'Multi -Gigabit European Research and Education Network and Associated Services (GN3)'. 2 Table of Contents Table of Contents 3 Executive Summary 4 1 IPv6 address scheme 5 2 Address types 7 2.1 Link-Local 7 2.2 Broadcast 8 2.3 Unique-Local, Site-Local 8 2.4 Multicast, Anycast 9 2.5 Global 9 3 The network part of global addresses and network structure 10 3.1 Home networks 11 3.2 Multihoming 12 4 End-user networks 13 4.1 The host part of the address – Host ID, Interface ID 13 4.2 IPv6 addresses EUI-64 13 4.3 Mapping the IPv6 EUI-64 addresses 14 4.4 Privacy Extensions 14 4.5 Manual IPv6 configuration and other options 17 5 Conclusion 19 6 List of Figures 20 3 Executive Summary This document describes network structure, the ways of creating IPv6 addresses in end-user networks, and the methods used to connect home, corporate and campus networks. -
Securing Security Tools Suricon Ö.Wï
Securing Security Tools SuriCon ö.wÏ Pierre Chiìier [email protected] French National Information Security Agency ö.wÏ ANSSI ◮ Created on July Åth ö..R, theANSSI (FrenchNetwork and Information SecurityAgency)isthe national authorityfor the defense and the security of information systems. ◮ Under the authority of the Prime Minister ◮ Main missions are: ◮ prevention ◮ defense of information systems ◮ awareness-rising http://www.ssi.gouv.fr/en/ ANSSI Securing Security Tools ö/öÏ Securing Security Tools Objectives of this talk: ◮ Improving security of tools ◮ Not on small steps,but trying to solve problems ◮ Consider alternatives to common solutions ◮ Test our claims ANSSI Securing Security Tools é/öÏ What is a network IDS ? A device that ◮ monitors network for malicious activity ◮ does stateful protocol analysis ◮ raises alerts to the administrators ◮ has to be fast ANSSI Securing Security Tools ÿ/öÏ What is a network IDS ? From the security point of view, a NIDS is: ◮ exposed to malicious traíc ◮ running lots of protocols dissectors ◮ connected to the admin network ◮ coded for performance ANSSI Securing Security Tools ó/öÏ Root causes ◮ Bad speciícations ◮ when they exist ◮ Design complexity and attack surface ◮ Formats complexity ◮ Programming language ◮ Paradox: many security tools are not securely coded ◮ “I’ll íx it later” ◮ Infosec peopleconsidering it’s “not their job” ANSSI Securing Security Tools Ï/öÏ Mimimal solutions ◮ Finding vulns does not (really)help security! ◮ But it helps (raising awareness, demonstrating the -
Release 3.2Dev OISF
Suricata User Guide Release 3.2dev OISF Jun 07, 2017 Contents 1 What is Suricata 1 1.1 About the Open Information Security Foundation............................1 2 Installation 3 2.1 Source..................................................3 2.2 Binary packages.............................................4 2.3 Advanced Installation..........................................5 3 Command Line Options 7 3.1 Unit Tests.................................................9 4 Suricata Rules 11 4.1 Rules Introduction............................................ 11 4.2 Meta-settings............................................... 16 4.3 Header Keywords............................................ 20 4.4 Prefilter.................................................. 31 4.5 Payload Keywords............................................ 32 4.6 HTTP Keywords............................................. 51 4.7 Flow Keywords.............................................. 67 4.8 Flowint.................................................. 70 4.9 Xbits................................................... 72 4.10 File Keywords.............................................. 73 4.11 Rule Thresholding............................................ 75 4.12 DNS Keywords.............................................. 77 4.13 SSL/TLS Keywords........................................... 78 4.14 Modbus Keyword............................................ 81 4.15 DNP3 Keywords............................................. 82 4.16 ENIP/CIP Keywords.......................................... -
A Comparative Analysis of the Snort and Suricata Intrusion-Detection Systems
View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Calhoun, Institutional Archive of the Naval Postgraduate School Calhoun: The NPS Institutional Archive Theses and Dissertations Thesis Collection 2011-09 A comparative analysis of the Snort and Suricata intrusion-detection systems Albin, Eugene Monterey, California. Naval Postgraduate School http://hdl.handle.net/10945/5480 NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS A COMPARATIVE ANALYSIS OF THE SNORT AND SURICATA INTRUSION-DETECTION SYSTEMS by Eugene Albin September 2011 Thesis Advisor: Neil Rowe Second Reader: Rex Buddenberg Approved for public release; distribution is unlimited THIS PAGE INTENTIONALLY LEFT BLANK REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704-0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503. 1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED September 2011 Master’s Thesis 4. TITLE AND SUBTITLE 5. FUNDING NUMBERS A Comparative Analysis of the Snort and Suricata Intrusion-Detection Systems 6. AUTHOR(S) Eugene Albin 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. -
Ipv6 Security.Pdf
IPv6 Security Scott Hogg, CCIE No. 5133 Eric Vyncke Cisco Press Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA ii IPv6 Security Scott Hogg and Eric Vyncke Copyright© 2009 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without writ- ten permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing December 2008 Library of Congress Cataloging-in-Publication Data: Hogg, Scott. IPv6 security / Scott Hogg, Eric Vyncke. p. cm. Includes bibliographical references and index. ISBN-13: 978-1-58705-594-2 (pbk.) ISBN-10: 1-58705-594-5 1. Computer networks—Security measures. 2. TCP/IP (Computer network protocol) I. Vyncke, Eric. II. Title. TK5105.59.H637 2009 005.8—dc22 2008047255 ISBN-13: 978-1-58705-594-2 ISBN-10: 1-58705-594-5 Warning and Disclaimer This book is designed to provide information about the security aspects of the IPv6 protocol. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have nei- ther liability nor responsibility to any person or entity with respect to any loss or damages arising from the informa- tion contained in this book or from the use of the discs or programs that may accompany it. -
Suricata IDPS and Its Interaction with Linux Kernel
Suricata IDPS and its interaction with Linux kernel Eric Leblond, Giuseppe Longo Stamus Networks France, Italy [email protected] [email protected] Abstract All reconstructions that are handled differently by operating system due to RFC incompletion or bad implementation must Suricata is an open source network intrusion detection and pre- be taken into account by the IDS. If streaming is not done this vention system. It analyzes the traffic content against a set of signatures to discover know attacks and also journalize proto- way, then attackers can abuse this interpretation mistake to col information. get this attack unnoticed. For instance, if they attack a Win- One particularity of IDS systems is that they need to analyze dows operating system seen as a Linux by the IDS, they just the traffic as it is seen by the target. For example, the TCP need to use a TCP segmentation scheme that is done differ- streaming reconstruction has to be done the same way it is done ently on Linux and on Windows so the IDS will see a content on the target operating systems and for this reason it can’t rely that is not the one received by the target. This kind of tech- on its host operating system to do it. nique is called evasion [4] and it is available in attack tools Suricata interacts in a number of ways with the underlying just as Metasploit [2]. For this reason it can’t rely on the op- operating system to capture network traffic. Under Linux erating system it is running on to do it. -
Running Bro on BSD
Running Bro on BSD An analysis of high performance solutions running on BSD operating systems. Michael Shirk BroCon 2016 @Shirkdog http://github.com/Shirkdog Agenda l Introduction l Bro is awesome l Why FreeBSD? l High Performance and FreeBSD l FreeBSD at the Berkley Lab l PF_RING vs. netmap l OpenBSD Rant Warning l Whenever you see the beastie with a hammer, there is a potential for some BSD bias to slip in. l The goal is to minimize this throughout the talk. l All information not cited in this talk is based on personal experience or opinion (marked with an asterisk *). Introduction l Worked in IDS/IPS since 2003 (various positions including consulting) - Engines: Snort, Suricata, Dragon and now Bro (also had to work with McAfee, ISS, NFR … others) - Signatures for Emerging Threats (since they were Bleeding Edge Snort) l Support Open Source Security Tools and Software - Maintain pulledpork for Snort/Suricata (rule updating script): http://github.com/shirkdog/pulledpork - Active community member of open source projects: l Operating Systems: FreeBSD, OpenBSD, HardenedBSD l Security Tools: Snort, Suricata, AIDE, Bro (starting) Bro Beginnings l 2013 – Bro setup on Linux with PF_RING and Suricata ( Dell R610 12 Core 32GB Appliance) - PoC was Security Onion, the production setup was on Ubuntu with PF_RING, Suricata and nothing else. - Gigamon TAP aggregated data to a single 10Gb Fiber interface fed to the Bro/Suricata sensor. - ~700Mbps peak, ~350Mbps non-peak l Bro logs were fed into Splunk (modified Splunk_TA_Bro to work with log formats) l Set it and forget it, it's just that simple. -
George Kargiotakis [email protected] Berlin, RSS 2013
Are you ready for IPv6 insecurities ? v1.1 George Kargiotakis [email protected] Berlin, RSS 2013 whois $ id uid=1000(kargig) gid=1000(sysadmin) groups=1(HELLUG),2(HTFv6),3(Hackerspace.gr),4(DLN.gr) $ last kargig GRNET – System Administration Gennet – Linux-based broadband CPEs (IPv6 capable) University of Ioannina – System Administration $ apropos kargig iloog – Greek gentoo-based livecd GrRBL – Greek AntiSpam Blacklists Greek AdBlock Plus filter – self-explanatory void.gr – My Blog 21/01/2013 Are you ready for IPv6 insecurities ? 2 Moment of truth How Many of you ● know what IPv6 is ? ● have used/are using IPv6 at work/home ? ● know what SLAAC is ? ● have used/are using transition mechanisms ? ● have deployed services over IPv6 ? ● are using native IPv6 ? ● are using native IPv6 and have applied IPv6 specific security policies on servers/routers ? 21/01/2013 Are you ready for IPv6 insecurities ? 3 Topics ● Fast IPv6 crash course (still needed) ● Main Dish 21/01/2013 Are you ready for IPv6 insecurities ? 4 Fast IPv6 crash course Embrace the new ● 128-bit addr – 340.282.366.920.938.463.463.374.607.431.768.211.456 IPs ● Multiple IPs (w/ different scopes) per Interface ● Lots of Multicast (no more broadcast!) ● Network Discovery Protocol → Address Auto-configuration ● Simpler Header (definitely good!) + Extension Headers (sounds promising!) + Header Daisy Chaining (interesting!) == a complete mess 21/01/2013 Are you ready for IPv6 insecurities ? 5 Fast IPv6 crash course Extension Header Daisy Chaining Extension header examples ● Destination -
Ipv6 Security Training Course
IPv6 Security Training Course References March 2021 Introduction During the IPv6 Security Course, many references are given, mostly IETF RFCs (Internet Engineering Task Force)(Request For Comments). You can also find useful references for RIPE NCC documents, security tools and sources of relevant security information. This document contain more details about those references, allowing the course participants to go deeper into details. In the case of RFCs, updated information about them, like the date of publication or if it still valid or has been obsoleted or update by another RFC, could be found in the www.rfc-editor.org web site. IETF Standards References [RFC2827] P. Ferguson, D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing”, May 2000, Best Current Practice [RFC3704] F. Baker, P. Savola, “Ingress Filtering for Multihomed Networks”, March 2004, Best Current Practice [RFC3756] P. Nikander, Ed., J. Kempf, E. Nordmark, “IPv6 Neighbor Discovery (ND) Trust Models and Threats”, May 2004, Informational [RFC3849] G. Huston, A. Lord, P. Smith, "IPv6 Address Prefix Reserved for Documentation", July 2004 [RFC3971] J. Arkko, Ed., J. Kempf, B. Zill, P. Nikander, SEcure Neighbor Discovery (SEND), March 2005, Proposed Standard [RFC3972] T. Aura, “Cryptographically Generated Addresses (CGA)”, March 2005, Proposed Standard [RFC4191] R. Draves, D. Thaler, “Default Router Preferences and More- Specific Routes”, November 2005, Proposed Standard [RFC4301] S. Kent, K. Seo, "Security Architecture for the Internet Protocol”, December 2005, Proposed Standard [RFC4302] S. Kent, “IP Authentication Header”, December 2005, Obsoletes RFC 2402, Proposed Standard [RFC4303] S. Kent, “IP Encapsulating Security Payload (ESP)”, December 2005, Obsoletes RFC 2406, Proposed Standard [RFC4443] A.