Suricata: 10 Years Strong Bringing the Best in Network Threat Detection

SESSION ID: OST-R07 Suricata: 10 Years Strong Bringing the Best in Network Threat Detection

Eric Leblond Peter Manev Suricata Developer CSO The Open Information Stamus Networks, LLC Security Foundation (OISF) / Suricata #RSAC Suricata

10 Years Strong Bringing the Best in Network Threat Detection Who are we?

Eric Leblond

−OISF executive council

−Suricata Developer

−Stamus Networks co-founder

Peter Manev

−OISF executive council

−QA lead at OISF

−Stamus Networks co-founder OISF

The non profit foundation behind Suricata

Created more than 10 years ago to

−Receive funding

−Pay for Suricata development

−Promote Suricata

Organizing Suricon every year

−2019: 250 attendees in Amsterdam

−2020: Boston, in November

Consortium members:

−Fireeye, Proofpoint

−AlienVault, ANSSI, Juniper, Verizon, IronNet

−Bricata, Cilera, Greycortex, Indegy, Red Piranha, Ubiquiti Suricata

Intrusion Detection System

−Signature based IDS

−JSON alerts including metadata for context

Network Security Monitoring

−Port independent protocol discovery

−Board protocol support: http, smtp, tls, smb, ftp, nfs, ikev2, dhcp, ...

−JSON events

−On Disk File extraction Who’s using Suricata ?

Basically everyone you would wish to have as customer if you are a software editor

Big companies:

−Facebook, Google, Amazon, ...

Small companies:

−FireEye, Thales, ...

Governmental:

−DoD, Homeland, French army, $(put your country here) $(army|govt defense agency) Why not pick Snort or/and Zeek

Feature side ●Political side

−Zeek will provide you a great NSM −Suricata has a real community based development −Snort will provide you a old but decent IDS −Snort is Cisco’s abandoned pet −Running both on a box can be a mayhem

−Suricata can replace both

−Suricata scalability is unmatched

80Gbps on one server

With 50000 signatures

(yes, on live traffic...) Who’s making to Suricata

●OISF paid developers ●OISF Executive director

●Victor Julien, Jason Ish, Shivani Bhardwaj, Jeff ●Kelley Misata PhD Lucovsky, Philippe Antoine, Andreas Herz ●Board of Directors ●Contributors ●Matt Jonkmann, Gene Stevens, Brian Casserly, ●133 authors Charles-H Schultz

●Private companies and governmental ●Executive team

●Mostly Europe and America ●Kelley Misata, Victor Julien, Jason Ish, Josh Stronheim, Peter Manev, Eric Leblond

●Community council

●Quarterly meeting to discuss recent evolution and perspectives Suricata 1.0

Date: 2010 (beta released Dec 2009)

Native multi threading

IDS compatible with snort rules

Protocol discovery –Identify protocol independently of port

HTTP analyzer and keywords –Match on protocol fields –Normalization

Start of NSM with HTTP logging –Apache like logging of all HTTP transactions Suricata 1.2

Date: 2012/02

File extraction –Extract file on disk –Per signature via a keyword –Globally via configuration

File analysis –Compute file hash –Detect file type –Keyword to match on file content: file_data Suricata 1.3

Date: 2012/07

TLS support

−IDS is not a network grep

−Analyse TLS handshake

−Produce Record

−Dedicated keywords: •tls.cert_subject •tls.cert_issuer •... TLS support by the example

Verify PKI usage in a company

The lazy way: one signature alert tls $SERVERS any → any any ( msg:”non PKI certificate”; tls.cert_issuer; content:!”ou=My Company”; classification:policy; sid:1; rev:1; ) Suricata 1.4

Date: 2012/12

How to deal with rapid evolution of nature of threats

−Signature language is release dependent

−Expressiveness of the language is poor

Lua signature

−Detect unexpected threats

−Implement complex algorithm Heartbleed example

Context

−Exploit based on an obscure message of TLS RFC

−Suricata support was not exposing this message to detection

Lua signature has been written a few hours after announcement

−Implement parsing code ‘like C’

−Strict test for abnormal behavior

Next release of Suricata had direct support Entropy computing in Lua

function entropy(a, verbose) function init (args) local result = {} l = #a local needs = {} V={} for i = 1, 256, 1 do needs["buffer"] = tostring(true) V[i] = 0 end return needs for i = 1, l, 1 do V[a:byte(i) + 1] = V[a:byte(i) + 1] + 1

end end c = 0

log2 = math.log(2)

for i = 1, 256, 1 do

p = V[i]/l function match(args) if p > 0 then c = c - (p * math.log(p)/log2) buffer = args["buffer"]; end end

--Ceil

bo = string.gsub(buffer, "(.*\\)(.*).exe", "%2"); if c > 4 then

return 1 return entropy(bo, 1) end return 0 end end Signature using entropy alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"High entropy in HTTP filename exe download"; flow:to_client,established; http.header; content:"Content-Transfer-Encoding|3a| binary"; http_header_names; content:"|0d 0a|Content-Disposition|0d 0a|Content-Transfer-Encoding|0d 0a|"; file.name; content:".exe"; endswith; fast_pattern; lua:entropy-detect.lua; sid:666; rev:1;) A real life result

"http": { "hostname": "d2k1gzykfsah3o.cloudfront.net", "url": "/d1zei|m28l4au/adobe_flash_player.exe", "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0", "http_content_type": "application/octet-stream", "http_method": "GET", "protocol": "HTTP/1.1", "status": 200, "length": 2235 Suricata 2.0

Date: 2014/03

Bring interoperability −Get rid of file parser hell −Allow rapid extension of events −Follow switch from custom tool to generic log handling tools

JSON output −For NSM data −For Alerts

Include basic information

Enrich with protocol metadata Alert in JSON format Banker malware:spy.banker.ACUT (sid 2024099)

The signature

●alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Banker.ACUT CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library)|0d 0a|"; http_header; fast_pattern:12,20; content:"plugin="; http_client_body; depth:7; content:"&windows="; http_client_body; content:"&user="; http_client_body; content:"&av="; http_client_body; content:"&bs="; http_client_body; content:!"Referer|3a|"; http_header; sid:2024099; rev:2;) Sample

Exfiltrate information Username, Operating system, Antimalware presence Pimp your Banker malware

Let’s get these data They are in the POST We can extract them Just need to extend the signature Capture the value Add them to the JSON Let’s check the manual Or Victor Julien’s blog: https://blog.inliniac.net/2016/12/20/suricata-bits-ints-and-vars/ Banker malware: orange like a pcre

●Convert to Suricata 5.0

●Not needed but more convenient

●The basic match:

●http.request_body; content:"plugin="; depth:7; content:"&windows="; content:"&user="; content:"&av="; content:"&bs=";

●Add information via additional pcre keywords

●pcre:"/&user=(.+)&/G,flow:username";

●pcre:"/&windows=(.+)&/G,flow:windows";

●pcre:"/&av=(.+)&/G,flow:av"; Banker malware: enjoy

Additional information available in the alert event: Suricata 3.0

Date: 2016/01

Mitigate multi steps attacks

−Xbits to cross flow boundary Suricata 4.0

Date: 2017/07

Limit risk of compromission

−Attack on the engine itself

−Suricata parses worse user data ever

Introduction of Rust

−For protocol parsing via Nom a parser writing framework Suricata 4.1

Date: 2018/11

Continue to see things in a TLS world

−Samba addition

−TLS JA3

Support growing network speed

−eXtreme Data Path

−Bypass TLS JA3

Identify TLS client implementation

Developed by 3 JA at Salesforce The Elephant flow problem The Elephant flow problem The Elephant flow problem XDP

●eBPF

●Extended Berkeley Packet Filter

●Share data structure between user space and kernel space ●Program filter in C code ●Available in different kernel hook

●Extreme Data Path

●Run eBPF code in network driver or earlier

●On each packet

●Take decision

●Accept

●Drop

●Transfer XDP bypass

Maintain a flow table

−Shared between kernel and user spaces

Suricata adds flow to bypass

Kernel

−Drop packet from flow in table

−Do accounting Impact on performance Suricata 5.0

Date: 2019/10

Identify TLS server too

−TLS JA3s

Data sharing time with MISP and other software

−List handling for IOC and more

−Switch to sticky buffer and datasets IOC checking

●Load lists and use them in signatures:

●alert dns any any → any any (msg:”bad domain (via DNS)”; dns.query; dataset:isset,dns-bl;)

●alert http any any → any any (msg:”bad domain (via HTTP)”; http.host; dataset:isset,dns-bl;)

●Incremental update via unix socket:

●dataset-add myset string Z29vZ2xlLmNvbQ==

●Available on over 40 diff fields

●any sticky buffer

●Update for packet path

●Alert dns any any → any any (dns.query; to_sha256; dataset:set,dns-sha256-seen; noalert;) Build dataset from data path

Http user agent

−alert http any any -> any any (msg:"First seen HTTP user agent"; http.user_agent; dataset:isnotset,http-user-agent,type string,state http-user-agent.lst; dataset:set,http-user-agent,type string,state http-user-agent.lst; sid:1; rev:1;) Resulting alert events Building our data set

JQ to the rescue

−cat eve.json | jq 'select(.event_type=="alert")|{"first_seen":.timestamp, "user- agent":.http.http_user_agent}' -c Connect with Suricata

●Mob league ●Suricon

●Bring Suricata to academics ●Yearly conference (Boston 2020)

●Scholarship to attend Suricata ●From developer to user

●Outreachy

●Training

●Threat hunting with Suricata

●Advanced deployment

●On prem

●Online

●Sig Dev

●Developer Conclusion

●Suricata is a well established engine ●Bring it on

●Evolving since 10 years ●Feedback

●Community driven development ●Bug report

●Contributions Questions ?

●Suricata & OISF: ●Stamus Networks

●Homepage: http://www.suricata-ids.org/ ●https://www.stamus-networks.com/

●OISF: https://www.oisf.net/ ●Peter Manev

●Online doc: https://suricata.readthedocs.io/ ●@pevma on Twitter

● Suricon: https://suricon.net/ ●Eric Leblond

●Try Suricata: ●@regiteric on Twitter

●SELKS: https://www.stamus- networks.com/scirius-open-source

●Security Onion: https://securityonion.net/