analisando pacotes for fun and packet - conceito de network security monitoring (nsm - qualitek...
DESCRIPTION
Palestra no Qualitek Security Day sobre Analise de Pacote e conceito de Network Security Monitoring (NSM)TRANSCRIPT
![Page 1: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/1.jpg)
Analisando pacotes for Fun & Detection – O interessante conceito de NSM (Network Security Monitoring)
Rodrigo “Sp0oKeR” Montoro
![Page 2: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/2.jpg)
$ whois Rodrigo “Sp0oKeR” Montoro
Security System Administrator @ Sucuri
– Centenas de Web Application Firewall
– Milhões alertas mês (Disneyland =) )
Autor de 2 patentes pendentes
– Detecção Documentos maliciosos
– Análise Cabeçalhos HTTP
Palestrante em diversos eventos
– FISL, Latinoware, CNASI, SecTor (Canada), H2HC, Bsides (São Paulo e Las
Vegas), Source Seattle e Boston (EUA), Toorcon (EUA), Zoncon (EUA).
Triatleta / Corredor de Trilhas
![Page 3: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/3.jpg)
MOTIVAÇÃO
![Page 4: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/4.jpg)
AGENDA
Atual problema na detecção de intrusos
O conceito de NSM
Como colocar isso em prática ?
Perguntas
![Page 5: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/5.jpg)
Como funciona um invasão
Antes
Durante
Depois
![Page 6: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/6.jpg)
Conceito de Detecção / Prevenção Intrusão
Atacantes sempre terão sucesso, se o conceito de sucesso for previnir isso, sempre perderemos.
![Page 7: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/7.jpg)
Tempo é o fator chave ...
![Page 8: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/8.jpg)
Sistemas genéricos
![Page 9: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/9.jpg)
Exemplo simples de genérico, “mundo fragmentação” ...
Sistemas operacionais diferentes, necessitam configurações de proteção diferente
![Page 10: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/10.jpg)
Timeout fragmentação da proteção < dispositivo
![Page 11: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/11.jpg)
Timeout fragmentação da proteção > dispositivo
![Page 12: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/12.jpg)
Evasão usando TTL + Timeout
![Page 13: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/13.jpg)
De brinde tem o overlaping ...
![Page 14: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/14.jpg)
E o grande “problema” da maioria das proteções …
![Page 15: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/15.jpg)
Alerta é apenas uma foto do momento ….
![Page 16: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/16.jpg)
Network Security Monitoring (NSM)
![Page 17: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/17.jpg)
Porque apenas o alerta não é suficiente ….
![Page 18: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/18.jpg)
Os componentes de um NSM
Full Content Extracted Content Session Data Statical Data Metadata Alert Data
![Page 19: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/19.jpg)
Full Content
![Page 20: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/20.jpg)
Extracted Data
![Page 21: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/21.jpg)
Session Data
![Page 22: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/22.jpg)
Statical Data
![Page 23: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/23.jpg)
Metadata
![Page 24: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/24.jpg)
Alert Data
![Page 25: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/25.jpg)
E como coloco isso em prática ?
![Page 26: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/26.jpg)
Mas isso não é caro ? Empresa não tem recursos ….
![Page 27: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/27.jpg)
Projeto Security Onion
Snort / Suricata OSSEC Sguil Squert Snorby ELSA Xplico PRADS Outros
![Page 28: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/28.jpg)
Snorby
![Page 29: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/29.jpg)
Squert
![Page 30: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/30.jpg)
Sguil ( Real Time )
![Page 31: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/31.jpg)
O que realmente “gasta” é com Storage ...
Média utlização em Mbps x 1byte / 8bits x 60 seconds/minutes x 60 minutes / hours x 24 hours / day
Em resumo:
Rede Tráfego 100 Mbps aproximadamente 1.08 TB dia de log dia X quantidade de dias que deseja armazena
![Page 32: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/32.jpg)
Links interessantes
taosecurity.blogspot.com
securityonion.blogspot.com
www.nsmwiki.org
![Page 33: Analisando pacotes for fun and packet - Conceito de Network Security Monitoring (NSM - Qualitek Security Day)](https://reader036.vdocuments.net/reader036/viewer/2022062513/55757869d8b42adb7e8b49d8/html5/thumbnails/33.jpg)
Perguntas & Contatos
Pessoal
@spookerlabs
http://spookerlabs.blogspot.com
Profissional
@sucuri_security
http://sucuri.net