Suricata IDPS and Linux kernel

Similar documents
Suricata IDPS and Nftables: The Mixed Mode

Suricata Performance with a S like Security

Suricata 2.0, Netfilter and the PRC

Using (Suricata over) PF_RING for NIC-Independent Acceleration

Intrusion Detection Systems. Evan Misshula

Coccigrep: a semantic grep for C language

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

NIDS: Snort. Group 8. Niccolò Bisagno, Francesco Fiorenza, Giulio Carlo Gialanella, Riccardo Isoli

Suricata Extreme Performance Tuning With Incredible Courage

nftables, far more than %s/ip/nf/g

Network Intrusion Detection Systems. Beyond packet filtering

소프트웨어기반고성능침입탐지시스템설계및구현

Raw Packet Capture in the Cloud: PF_RING and Network Namespaces. Alfredo

IPtables and Netfilter

CNIT 121: Computer Forensics. 9 Network Evidence

CSC 474/574 Information Systems Security

Evolution of the netmap architecture

Netfilter updates since last NetDev. NetDev 2.2, Seoul, Korea (Nov 2017) Pablo Neira Ayuso

Netfilter updates since last NetDev. NetDev 2.2, Seoul, Korea (Nov 2017) Pablo Neira Ayuso

A 10 years journey in Linux firewalling Pass the Salt, summer 2018 Lille, France Pablo Neira Ayuso

Bro vs Suricata Two Approaches to Network Security Monitoring

Software Routers: NetMap

Eduardo

VALE: a switched ethernet for virtual machines

TCP Tuning for the Web

Research on DPDK Based High-Speed Network Traffic Analysis. Zihao Wang Network & Information Center Shanghai Jiao Tong University

Netchannel 2: Optimizing Network Performance

Lab 4: Network Packet Capture and Analysis using Wireshark

ANIC Host CPU Offload Features Overview An Overview of Features and Functions Available with ANIC Adapters

sottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

Definition of firewall

Design and Performance of the OpenBSD Stateful Packet Filter (pf)

ntop Users Group Meeting

NetSlices: Scalable Mul/- Core Packet Processing in User- Space

Chapter 13: I/O Systems

A Next Generation Home Access Point and Router

Memory Management Strategies for Data Serving with RDMA

The Research and Application of Firewall based on Netfilter

Securing Network Traffic Tunneled Over Kernel managed TCP/UDP sockets

Open Source Traffic Analyzer

Device-Functionality Progression

Chapter 12: I/O Systems. I/O Hardware

Netdev 0.1 Netfilter BoF. Pete Bohman, Platform Security Engineer Joshua Hunt, Kernel Engineer

Martin Dubois, ing. Contents

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Netfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006

Michael Rash DEFCON 12 07/31/2004

Building an IPS solution for inline usage during Red Teaming

Module 12: I/O Systems

Fast packet processing in the cloud. Dániel Géhberger Ericsson Research

Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection

netfilters connection tracking subsystem

Table of Contents...2 Abstract...3 Protocol Flow Analyzer...3

THE INTERNET PROTOCOL INTERFACES

The Internet Protocol

Suricata User Guide. Release 3.2dev OISF

TLDK Overview. Transport Layer Development Kit Ray Kinsella February ray.kinsella [at] intel.com IRC: mortderire

Suricata User Guide. Release dev OISF

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

Experiences in Building a 100 Gbps (D)DoS Traffic Generator

Activating Intrusion Prevention Service

CS 378 (Spring 2003)

Signaled Receiver Processing

Create New Virtual Hub window.

XDP: 1.5 years in production. Evolution and lessons learned. Nikita V. Shirokov

Authors: Mark Handley, Vern Paxson, Christian Kreibich

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

Identity-based firewalling

ntop Users Group Meeting

Loadbalancer.org Virtual Appliance quick start guide v6.3

CSCI 680: Computer & Network Security

Pre processors. Detection Engine

Managing Latency in IPS Networks

Square Pegs in a Round Pipe: Wire-Compatible Unordered Delivery In TCP and TLS

Suricata File Extraction API SuriCon 2016 Zach Rasmor Lockheed Martin

PyNetSim A modern INetSim Replacement. Jason Jones FIRST 2017

BUILDING A NEXT-GENERATION FIREWALL

Module 12: I/O Systems

Firewalling. Alessandro Barenghi. May 19, Dipartimento di Elettronica e Informazione Politecnico di Milano barenghi - at - elet.polimi.

Internet Security: Firewall

A Userspace Packet Switch for Virtual Machines

Accelerating Load Balancing programs using HW- Based Hints in XDP

The Challenges of XDP Hardware Offload

IPv4 ACLs, identified by ACL numbers, fall into four categories, as shown in Table 1. Table 1 IPv4 ACL categories

Enabling Fast, Dynamic Network Processing with ClickOS

CSE 565 Computer Security Fall 2018

Next Gen Virtual Switch. CloudNetEngine Founder & CTO Jun Xiao

Application Inspection and Control for SMTP

Netfilter: Making large iptables rulesets scale. OpenSourceDays 2008 d.4/

Shield -- A First Line Worm Defense. Helen J. Wang, Chuanxiong Guo, Dan Simon, and Alf Zugenmaier Feb 25, Motivation

DPDK Summit 2016 OpenContrail vrouter / DPDK Architecture. Raja Sivaramakrishnan, Distinguished Engineer Aniket Daptari, Sr.

Configuring attack detection and prevention 1

Implementation and Analysis of Large Receive Offload in a Virtualized System

Network Layer (1) Networked Systems 3 Lecture 8

Demystifying Network Cards

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Deployment Guide AX Series with Oracle E-Business Suite 12

Network optimizations for PV guests

Host Dataplane Acceleration: SmartNIC Deployment Models

Cisco IPS AIM Deployment, Benefits, and Capabilities

Transcription:

Suricata IDPS and Linux kernel É. Leblond, G. Longo Stamus Networks February 10, 2016 É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 1 / 28

1 Suricata Introduction Streaming Performance 2 Suricata and Linux kernel AF_PACKET NFQUEUE 3 Suricata and offloading Interest of offloading Implementation of framework Use it with NFQ Other Methods 4 Conclusion É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 1 / 28

1 Suricata Introduction Streaming Performance 2 Suricata and Linux kernel AF_PACKET NFQUEUE 3 Suricata and offloading Interest of offloading Implementation of framework Use it with NFQ Other Methods 4 Conclusion É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 1 / 28

What is Suricata IDS and IPS engine Get it here: http://www.suricata-ids.org Open Source (GPLv2) Initially publicly funded now funded by consortium members Run by Open Information Security Foundation (OISF) More information about OISF at http://www. openinfosecfoundation.org/ É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 2 / 28

Suricata Features High performance, scalable through multi threading Advanced Protocol handling Protocol recognition Protocol analysis: field extraction, filtering keywords Transaction logging in extensible JSON format File identification, extraction, on the fly MD5 calculation HTTP SMTP TLS handshake analysis, detect/prevent things like Diginotar Lua scripting for detection Hardware acceleration support: Endace Napatech, CUDA PF_RING É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 3 / 28

Suricata capture modes IDS pcap: multi OS capture af_packet: Linux high performance on vanilla kernel netmap: FreeBSD high performance NFLOG: Netfilter logging IPS NFQUEUE: Using Netfilter on Linux ipfw: Use divert socket on FreeBSD af_packet: Level 2 software bridge Offline analysis Pcap: Analyse pcap files Unix socket: Use Suricata for fast batch processing of pcap files É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 4 / 28

1 Suricata Introduction Streaming Performance 2 Suricata and Linux kernel AF_PACKET NFQUEUE 3 Suricata and offloading Interest of offloading Implementation of framework Use it with NFQ Other Methods 4 Conclusion É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 4 / 28

Evasion technics Fooling detection Get your activity unnoticed Complete your attack and stay in place Principle Signature-based IDS relay on packet content Modification of traffic could be used to avoid detection Without changing the impact of the attack É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 5 / 28

Play on interpretation issue OS-based evasion All OS do not react the same RFC are incomplete. Improvisations have been made. Variation of traffic for a same flow is possible Overlapping Fragments Application-based evasion Different servers can treat the same request differently. No web server are treating a twice used argument the same way. É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 6 / 28

Personnality Personnality IDS implements personnality It is possible to associate network and OS type For Suricata, HTTP servers can be personnified too. Suricata configuration host os p o l i c y : # Make the d e f a u l t p o l i c y windows. windows : [ 0. 0. 0. 0 / 0 ] bsd : [ ] bsd r i g h t : [ ] old l i n u x : [ ] l i n u x : [ 1 0. 0. 0. 0 / 8 ] É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 7 / 28

Suricata reconstruction and normalization É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 8 / 28

1 Suricata Introduction Streaming Performance 2 Suricata and Linux kernel AF_PACKET NFQUEUE 3 Suricata and offloading Interest of offloading Implementation of framework Use it with NFQ Other Methods 4 Conclusion É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 8 / 28

A typical signature example Signature example: Chat facebook a l e r t http $HOME_NET any > $EXTERNAL_NET any \ ( msg : "ET CHAT Facebook Chat ( send message ) " ; \ flow : established, to_server ; content : "POST" ; http_method ; \ content : " / ajax / chat / send. php " ; h t t p _ u r i ; content : " facebook. com" ; h t t p _ h o s t ; \ content : " netdev " ; http_client_body ; reference : url,www. emergingthreats. net / cgi bin / cvsweb. cgi / sigs / POLICY / POLICY_Facebook_Chat ; \ s i d :2010784; rev : 4 ; \ ) This signature tests: The HTTP method: POST The page: /ajax/chat/send.php The domain: facebook.com The body content: netdev É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 9 / 28

No passthrough All signatures are inspected Different from a firewall More than 15000 signatures in standard rulesets Optimization on detection engine Tree pre filtering approach to limit the set of signatures to test Multi pattern matching on some buffers É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 10 / 28

CPU intensive É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 11 / 28

Perf top É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 12 / 28

Scalability Bandwith per core is limited From 150Mb/s To 500Mb/s Scaling Using RSS Splitting load on workers É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 13 / 28

1 Suricata Introduction Streaming Performance 2 Suricata and Linux kernel AF_PACKET NFQUEUE 3 Suricata and offloading Interest of offloading Implementation of framework Use it with NFQ Other Methods 4 Conclusion É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 13 / 28

1 Suricata Introduction Streaming Performance 2 Suricata and Linux kernel AF_PACKET NFQUEUE 3 Suricata and offloading Interest of offloading Implementation of framework Use it with NFQ Other Methods 4 Conclusion É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 13 / 28

AF_PACKET Linux raw socket Raw packet capture method Socket based or mmap based É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 14 / 28

AF_PACKET Linux raw socket Raw packet capture method Socket based or mmap based Fanout mode Load balancing over multiple sockets Multiple load balancing functions Flow based CPU based RSS based É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 14 / 28

Suricata workers mode É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 15 / 28

The rollover option Concept Ring buffer can fill in burst or single flow Capture would gain of splitting single intensive flow Rollover mode switch to next socket when ring is full É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 16 / 28

The rollover option Concept Ring buffer can fill in burst or single flow Capture would gain of splitting single intensive flow Rollover mode switch to next socket when ring is full Problem with Suricata Suricata reconstruct the stream Rollover mode causes reordering of stream Massive accuracy loss É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 16 / 28

1 Suricata Introduction Streaming Performance 2 Suricata and Linux kernel AF_PACKET NFQUEUE 3 Suricata and offloading Interest of offloading Implementation of framework Use it with NFQ Other Methods 4 Conclusion É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 16 / 28

NFQUEUE It is used in Suricata to work in IPS mode, performing action like DROP or ACCEPT on the packets, permitting us to delegate the verdict on the packets. With NFQUEUE we are able to delegate the verdict on the packet to a userspace software. The following rules will ask a userspace software connected to queue 0 for a decision. nft add filter forward queue num 0 iptables -A FORWARD -j NFQUEUE queue-num 0 É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 17 / 28

NFQUEUE The following steps explains how NFQUEUE works with Suricata in IPS mode: Incoming packet matched by a rule is sent to Suricata through nfnetlink Suricata receives the packet and issues a verdict depending on our ruleset The packet is either trasmitted or rejected by kernel É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 18 / 28

NFQUEUE NFQUEUE number of packets per second on a single queue is limited due to the nature of nfnetlink communication. Batching verdict can help but without an efficient improvement. Starting Suricata with multiple queue could improve it: s u r i c a t a c / etc / s u r i c a t a / s u r i c a t a. yaml q 0 q 1 É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 19 / 28

1 Suricata Introduction Streaming Performance 2 Suricata and Linux kernel AF_PACKET NFQUEUE 3 Suricata and offloading Interest of offloading Implementation of framework Use it with NFQ Other Methods 4 Conclusion É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 19 / 28

1 Suricata Introduction Streaming Performance 2 Suricata and Linux kernel AF_PACKET NFQUEUE 3 Suricata and offloading Interest of offloading Implementation of framework Use it with NFQ Other Methods 4 Conclusion É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 19 / 28

Stream depth Attacks characteristic In most cases attack is done at start of TCP session Generation of requests prior to attack is not common Multiple requests are often not even possible on same TCP session Stream reassembly depth Suricata reassemble TCP sessions till stream.reassembly.depth bytes. Stream is not analyzed once limit is reached É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 20 / 28

Introducing offloading Principle Usage No need to get packet from kernel after stream depth is reached If there is no file store or other operation Set stream.offloading option to yes in suricata config file to offload É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 21 / 28

1 Suricata Introduction Streaming Performance 2 Suricata and Linux kernel AF_PACKET NFQUEUE 3 Suricata and offloading Interest of offloading Implementation of framework Use it with NFQ Other Methods 4 Conclusion É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 21 / 28

Implementation Suricata update Add callback function Capture method register itself and provide a callback Suricata calls callback when it wants to offload É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 22 / 28

Implementation Suricata update Add callback function Capture method register itself and provide a callback Suricata calls callback when it wants to offload Coded for NFQ Update capture register function Written callback function Set a mark with respect to a mask on packet Mark is set on packet when issuing the verdict É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 22 / 28

1 Suricata Introduction Streaming Performance 2 Suricata and Linux kernel AF_PACKET NFQUEUE 3 Suricata and offloading Interest of offloading Implementation of framework Use it with NFQ Other Methods 4 Conclusion É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 22 / 28

nftables ruleset t a b l e i p f i l t e r { chain forward { type f i l t e r hook forward p r i o r i t y 0; # usual r u l e s e t } chain i p s { type f i l t e r hook forward p r i o r i t y 10; meta mark set c t mark mark 0x00000001 accept queue num 0 } } chain connmark_save { type f i l t e r hook forward p r i o r i t y 20; c t mark set mark } É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 23 / 28

Results of iperf3 tests Local testing É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 24 / 28

Results of iperf3 tests Local testing <marketing>local testing with offload is 90 times faster</marketing> É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 24 / 28

Selective offloading Ignore some traffic Ignore intensive traffic like Netflix Can be done independently of stream depth Can be done using generic or custom signatures É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 25 / 28

Selective offloading Ignore some traffic Ignore intensive traffic like Netflix Can be done independently of stream depth Can be done using generic or custom signatures The offload keyword A new offload signature keyword Trigger offloading when signature match Example of signature a l e r t h t t p any any > any any ( content : " netdevconf. org " ; \ \ h t t p _ h o s t ; o f f l o a d ; s i d :6666; rev : 1 ; ) É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 25 / 28

1 Suricata Introduction Streaming Performance 2 Suricata and Linux kernel AF_PACKET NFQUEUE 3 Suricata and offloading Interest of offloading Implementation of framework Use it with NFQ Other Methods 4 Conclusion É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 25 / 28

Implementation for other captures Possibilities AF_PACKET Signaling Openvswitch Custom HW... Constraint Method needs to be fast It needs to handle Huge amount of flow/items Rapid change rate É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 26 / 28

1 Suricata Introduction Streaming Performance 2 Suricata and Linux kernel AF_PACKET NFQUEUE 3 Suricata and offloading Interest of offloading Implementation of framework Use it with NFQ Other Methods 4 Conclusion É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 26 / 28

Conclusion Suricata and Linux A deep imbrication IDS constraint causes some generic features to fail Offloading looks promising More information Suricata: http://www.suricata-ids.org/ Netfilter: http://www.netfilter.org/ Stamus Networks: https://www.stamus-networks.com/ É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 27 / 28

Questions? Contact us Éric Leblond: eleblond@stamusnetworks.com Giuseppe Longo: glongo@stamusnetworks.com Twitter: @regiteric and @theglongo https://www. stamus-networks.com/ É. Leblond, G. Longo (Stamus Networks) Suricata IDPS and Linux kernel February 10, 2016 28 / 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback