how with suricata you save the world - ndh2k14
TRANSCRIPT
![Page 1: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/1.jpg)
How with Suricata you save the world
Last night the Suricate save my life
![Page 2: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/2.jpg)
The gangSébastien Larinier● Membre de l’
Honeynet Project● Co-Organisateur de
Botconf● CTO du Cert Sekoia
Éric Leblond● Membre de la
coreteam Netfilter● Core développeur
Suricata● CO-fondateur de
Stamus Networks
![Page 3: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/3.jpg)
IDSTu as mal mais au moins tu sais pourquoi.
![Page 4: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/4.jpg)
IDS: Intrusion Detection System● Sonde de détection d’intrusion
○ HIDS: Système■ analyse des OS pour détecter des
compromissions○ NIDS: Réseaux
■ analyse sécurité du trafic réseau■ technologies variées: signature, comportementale
● NIDS open source:○ Snort, BRO, Suricata
![Page 5: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/5.jpg)
IDS et NSMIDS basé signatures● Recherche de
motifs connus● Une signature par
CVE
Network Security Monitoring● Analyse et stockage
de traces réseaux○ stockage des
requêtes● Capture complète● But forensics et
détection
![Page 6: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/6.jpg)
Travail de l’IDS
![Page 7: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/7.jpg)
Mode de fonctionnementsOffline● Analyse de fichiers
pcap● Utilisé pour
○ l’analyse malware○ enquête à posteriori
Live● Sniffing d’interface
○ pcap○ carte de captures
dédiées● IPS
○ Niveau 2○ Niveau 3 (Netfilter)
![Page 8: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/8.jpg)
Suricata: IDS et NSM● GPLv2● développé par une fondation l’OISF● Multithreadé● Reconnaissance protocolaire● Extraction de fichiers
![Page 9: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/9.jpg)
Entrées et Sorties● IDS
○ PCAP○ AF_PACKET,
pf_ring○ carte de captures
● IPS○ Netfilter, ipfw○ Bridge AF_PACKET
● Alertes○ Fast.log○ Unified2○ EVE JSON
● NSM○ HTTP, File, DNS,
SSH, TLS○ Flat file and EVE
![Page 10: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/10.jpg)
SELKSLet’s talk about SELKS
![Page 11: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/11.jpg)
SELKS● Une distribution live et installable
○ Suricata○ Elasticsearch: base de données/moteur de recherche○ Logstash: des fichiers à la base de données○ Kibana: interface web d’analyse○ Scirius: interface web de gestion de signatures
● Gestion des signatures et analyse par le web● Basé sur Debian Live● Source: https://github.com/StamusNetworks/SELKS
![Page 12: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/12.jpg)
Comment tester ?1. Télécharger depuis https://www.stamus-networks.
com/open-source/#selks2. Démarrer une VM
○ minimum 1 coeur et 3Go○ 2 coeurs et 4Go recommandés○ interface réseau
■ en mode bridge■ promiscuous activé
○ ISO téléchargée utilisée comme CD
![Page 13: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/13.jpg)
Kibana
![Page 14: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/14.jpg)
Drill Down sur libssh2_1.4.2
![Page 15: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/15.jpg)
Démonstration● Fonctions NSM
○ Analyse du trafic lors d’une requête web■ Dashboard HTTP et DNS
○ Test twitter■ TLS et DNS
● Approche “Drill Down“○ Filtre temps○ Sélecteur loupe○ Filtre
![Page 16: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/16.jpg)
Build Your Own Dashboard● Créer des requêtes pour définir des
ensembles○ Lucene Query Syntax○ Tutorial: http://www.lucenetutorial.com/lucene-
query-syntax.html● Ajouter un panel
○ Choisir le type○ Choisir les requêtes
![Page 17: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/17.jpg)
Hacking EVELet’s start to play
![Page 18: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/18.jpg)
EVE● Suricata 2.0 a introduit le format EVE
○ Journalisation au format JSON○ Fichier unique○ Support des alertes et des événéments
● Le format JSON permet○ Une intégration facile avec Logstash ou Splunk○ Des développements rapides d’outils
![Page 19: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/19.jpg)
Exemple d’événément JSON
![Page 20: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/20.jpg)
DOM● Un outil à la fail2ban
○ Analyse le fichier EVE○ Détecte les événéments ssh○ Ajoute les IP sources à un ensemble IPset
■ Utilisation dans le filtrage iptables■ Blacklist ou autre
● Intérêt○ Blocage des scans (DOM y nique trop de scans)○ Redirection vers un honeypot
![Page 21: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/21.jpg)
KISS DOM code
![Page 22: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/22.jpg)
Utilisation de DOM● Création de l’ensemble IPset
ipset create libssh hash:ip
● Lancement de DOM./dom -f /usr/local/var/log/suricata/eve.json -s libssh -m OpenSSH -i
● Téléchargement: https://github.com/regit/DOM
![Page 23: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/23.jpg)
pshitt● Passwords of SSH Intruders Transferred to
Text○ Un faux serveur SSH pour collecter les mots de passe○ Sortie en JSON
● Pshitt:○ Origine du nom :
■ “Elles [Les attaques] font pshitt” (Jacques Chirac)
○ Développé en Python et basé sur paramiko
![Page 24: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/24.jpg)
Mise en oeuvre● Lancement de pshitt
cd pshitt
./pshitt
● Paramétrage de Netfilteriptables -A PREROUTING -t nat -m set --match-set libssh src -i eth0 \
-p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2200
![Page 25: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/25.jpg)
Les mots de passe à éviter
![Page 26: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/26.jpg)
MalwareAttraper du malware
![Page 27: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/27.jpg)
Extraire des fichiers des flows● Configurer un .rules● Configurer Suricata.yaml
○ Activer le .rules○ Logguer le magic des fichiers○ Logguer le md5 du fichier
● repository: /var/log/suricata/files
![Page 28: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/28.jpg)
le .rules● Créer files.rules● Copier le dans /etc/suricata/rules/● Synthaxe de la règle:
○ alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)
![Page 29: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/29.jpg)
le .yaml● ajouter files.rules dans la section rules
default-rule-path: /etc/suricata/rulesrule-files: - files.rules - emerging-all.rules
![Page 30: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/30.jpg)
le .yaml● Configurer le logging:
- files: force-magic: yes # force logging magic on all logged files force-md5: yes # force logging of md5 checksums
- file-store:
enabled: yes # set to yes to enable log-dir: files # directory to store the files force-magic: yes # force logging magic on all stored files force-md5: yes # force logging of md5 checksums
![Page 31: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/31.jpg)
Et le résultat:● Eve.json:
○ {"timestamp":"2014-04-27T05:12:19.430121","pcap_cnt":428773,"event_type":"alert","src_ip":"95.211.128.101","src_port":80,"dest_ip":"192.168.204.215","dest_port":50588,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2018031,"rev":2,"signature":"ET CURRENT_EVENTS Hostile _dsgweed.class JAR exploit","category":"A Network Trojan was detected","severity":1}}
○ {"timestamp":"2014-04-27T05:12:20.047905","pcap_cnt":428799,"event_type":"alert","src_ip":"95.211.128.101","src_port":80,"dest_ip":"192.168.204.215","dest_port":50588,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2013037,"rev":7,"signature":"ET POLICY Java EXE Download","category":"A Network Trojan was detected","severity":1}}
○ {"timestamp":"2014-04-27T05:12:24.561932","pcap_cnt":428901,"event_type":"fileinfo","src_ip":"95.211.128.101","src_port":80,"dest_ip":"192.168.204.215","dest_port":50587,"proto":"TCP","http":{"url":"/1398547200.jar","hostname":"1315620091-6.babyserr.ru","http_user_agent":"Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_13"},"fileinfo":{"filename":"1315620091.jar","magic":"Java Jar file data (zip)","state":"CLOSED","md5":"52c07b18e0508bb805e7a06054a997de","stored":false,"size":3819}}
![Page 32: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/32.jpg)
Et le résultat:● Sur le filesystem:
○ file.* ○
● Mais où est le MD5 ?:
![Page 33: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/33.jpg)
Let’s Hack Baby
![Page 34: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/34.jpg)
Résultats● Malware ok● Sur une analyse Ok● Mais si je veux industrialiser ?
![Page 35: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/35.jpg)
Threat intelligenceMon précieux !
![Page 36: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/36.jpg)
Threat Intel: Kezako● Collection d’indice de compromission:
○ ip○ domaines○ metadata de fichiers○ Vulnérabilité utilisés○ Vecteur
![Page 37: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/37.jpg)
Threats Intelligence VS SuricataOH WAIT !
![Page 38: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/38.jpg)
Suricata: deux modes● Online
○ suricata -i eth0 -c /etc/suricata/suricata.yaml● Offline:
○ suricata -c /etc/suricata/suricata.yaml --unix-socket
![Page 39: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/39.jpg)
Suricata: mode unix-socket● Balance moi les pcaps mon amour !
![Page 40: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/40.jpg)
Threats Intelligence VS Suricata● Il faut que je réassemble mes datas qui sont
dans mon eve.json:○ Push dans Redis○ Réassemblages des données
![Page 41: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/41.jpg)
Suricata loves Redis
![Page 42: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/42.jpg)
Suricata loves Redis
![Page 43: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/43.jpg)
Threats Intelligence VS Suricata● Résultats:"{\"files\": [{\"magic\": \"PE32 executable (GUI) Intel 80386, for MS Windows\", \"filename\": \"flashplayer11_7r22082_216_win.exe\", \"state\": \"CLOSED\", \"stored\": false, \"md5\": \"f326b9e4a8c734dee5d8a04d712c5f28\", \"size\": 3826}], \"alerts\": [\"ET INFO EXE - Served Inline HTTP\", \"FILE store all\", \"ET CURRENT_EVENTS Fiesta - Payload - flashplayer11\", \"FILE store all\", \"ET CURRENT_EVENTS Fiesta - Payload - flashplayer11\", \"ET CURRENT_EVENTS Fiesta - Payload - flashplayer11\"], \"http\": [{\"url\": \"/fvchd56/?180ec0511077e4e25440555e510b07030100025e5752050a040a560407520650;1;6\", \"hostname\": \"a.pimpmycar.ro\", \"http_user_agent\": \"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)\"}]}"
![Page 44: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/44.jpg)
● Yes we can !
Threats Intelligence VS Suricata
![Page 45: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/45.jpg)
● Trouver des feeds !○ malware-traffic.com
Threats Intelligence VS Suricata
![Page 46: How with Suricata you save the world - NDH2K14](https://reader034.vdocuments.us/reader034/viewer/2022042714/55759523d8b42ae7708b5212/html5/thumbnails/46.jpg)
Un ptit crawler