Upload File

selks - 2018 suricon in vancouver presented by oisf · pdf file• stamus network probes 2....

  • Home
  • Documents
  • SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei
15
1 SELKS

Upload: phamlien

Post on 27-Mar-2018

217 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

1

SELKS

Page 2: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

Lets talk about US

Stamus NetworksBring professional grade products and services through the Suricata IDPS eco-system

Open Source Projects• SELKS• Amsterdam• Scirius Community Edition

Products• Scirius Enterprise Edition• Stamus Network Probes

2

Page 3: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

Problem of defensive security

3

Page 4: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

Why we need SELKS ?

• Entirely Open Source– The only graphic Suricata’s rule manager– Standard Debian Jessie 64 bit live and installable distro– Want to get the best out of Suricata– Showcase build for Suricata

• Scalable• Modular• Flexible• Correlate

4

Page 5: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

Why this SELKS name ?

•S - Suricata IDPS

•E - Elasticsearch

•L - Logstash

•K - Kibana

•S - Scirius

• EveBox

5

Page 6: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

SELKS – The ELK stack

• Elasticsearch 2.x – Distributed, scalable, and highly available– Real-time search and analytics capabilities– Sophisticated RESTful API– Schema free, Apache Lucene™

• Logstash 2.x– Centralize data processing of all types– Log collector

• Kibana 4.x– Flexible analytics and visualization platform– Real-time summary and charting of streaming data– Intuitive interface for a variety of users– Instant sharing and embedding of dashboards

6

Page 7: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

SELKS –Scirius

• Suricata graphic rule set manager

7

Page 8: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

SELKS –EveBox

• EveBox is a web based Suricata "eve" event viewer for Elastic Search

8

Page 9: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

Visualization & Filtering

• Filter and visualize on over 360 metadata fields• GeoIP Maps

9

Page 10: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

Dashboards

• 11 ready to use out of the box dashboards– ALL– ALERTS– DNS– FILE-Transactions – FLOW– HTTP– SMTP– STATS– TLS– SSH– VLAN

10

Page 11: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

Scirius: rule set manager

• Suricata’s graphic rule set management – Rules to alerts direct mapping– Suricata performance indicators– Thresholding/Suppression of alerts

• Demonstration

11

Page 12: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

Black (file) Magic

Identify a file which:

➢ is a picture taken with a camera from Huawei Nexus 6p phone

➢ has a an extension “.docx”

Page 13: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

Getting SELKS

Source & ISO:➢ Build your from source or with a custom

kernel version - ● https://github.com/StamusNetworks/SEL

KS#selks➢ Download ready to use ISO image -

● https://www.stamus-networks.com/open-source/#selks

Page 14: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

Amsterdam● SELKS and docker

– Docker: lightweight containers

– Docker-compose: orchestration● Install amsterdam:

– pip install amsterdam● Create a amsterdam instance:

– amsterdam -d ams -i wlan0 setup

– amsterdam -d ams start● Point browser to https://localhost/

Page 15: SELKS - 2018 SuriCon in Vancouver presented by OISF · PDF file• Stamus Network Probes 2. Problem of defensive security 3. Why we need SELKS ? •Entirely Open Source ... from Huawei

THANK YOU

Questions ?

15


Lets talk about - WordPress.com · Lets talk about SELKS ….. Lets do some hands on ... –ALERTS –DNS –FILE-Transactions –FLOW –HTTP –HTTP-Extended-Custom –PRIVACY –SMTP

Suricata & AWS - 2020 SuriCon in Boston presented by OISF › wp-content › uploads › 2019 › 11 › ...Suricata & AWS Pre and Post Session Mirroring $ cat about.txt - Overview

Lab 5 More Stability Analysis and Soundings Presented by: Pete Stamus Tues, Wed, 15-16 June 1999 Hydromet 99-2

Suricata and the Shark: suriwire · Suricata and the Shark: suriwire É. Leblond Stamus Networks July. 03, 2018 É. Leblond (Stamus Networks) Suricata and the Shark: suriwire July

Dok. Klfks-selks Umum-Penysnan Ruang Terbuka Hijau (RTH) Kab.gumas

Malware as a Service - SURICON€¦ · © 2019 Bromium Inc. All rights reserved. 5 Malware as a Service –Previous Work 2015 2017 2018 2019

Suricata IDPS and Linux kernel - NetDev: The … IDPS and Linux kernel É. Leblond, G. Longo Stamus Networks February 10, 2016 É. Leblond, G. Longo (Stamus Networks) Suricata IDPS

Let's talk about SELKS · DNS SSH Éric Leblond (Stamus Networks) Let’s talk about SELKS 5 juin 2014 5 / 13. Suricata + Kibana ... Let’s talk about SELKS 5 juin 2014 8 / 13. Deny

Suricata IDPS and Nftables: The Mixed Mode...Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe Longo (Stamus Networks) Suricata IDPS and

eBPF and XDP in Suricata reloaded€¦ · Test data Using a test pcap of 445Mo. Real traffic but lot of malicious behaviors Traffic is a bit old É. Leblond/P. Manev (Stamus Networks)

Office suite and firewall - Netfilter · Office suite and firewall É. Leblond Stamus Networks 2016 June 27 É. Leblond (Stamus Networks) Office suite and firewall 2016 June 27

Logging with Netfilter and ulogd2...Logging with Netfilter and ulogd2 Éric Leblond Stamus Networks June 23, 2015 Éric Leblond (Stamus Networks) Logging with Netfilter and ulogd2

Suricata 2.0, Netfilter and the PRC - RMLL · Suricata 2.0, Netfilter and the PRC Éric Leblond Stamus Networks July 8, 2014 Éric Leblond (Stamus Networks) Suricata 2.0, Netfilter

The adventures of a Suricate in eBPF land · 1 eBPF technology 2 Suricata meets eBPF 3 AF_PACKET bypass via eBPF 4 Conclusion É. Leblond (Stamus Networks) The adventures of a Suricate

Presentation Title Goes Here - SURICON€¦ · 00000040 66 96 26 66 9a 26 67 ea 26 66 9c 26 66 9e 26 66 |f.&f.&g.&f.&f.&f| 00000050 9d 26 66 97 41 16 8b 30 6d ea 26 67 ea 26 66 9b

nftables, one year later - Lagout · Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 11 / 40. Simplified kernel code ... { 192.168.0.44 => jump logmetender

Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables

Suricon: EKs and Cuckoo and things · Suricon: EKs and Cuckoo and things Will (Not a Rockstar) ... Cuckoo Sandbox ... malware analysis

Extreme Performance - SURICON...XDP & Suricata Code work available in a PR by Regit (Eric Leblond) Packet arrives to FIFO. Card writes it back to queue. No SKB yet. eBPF program is

Encrypted Network Traffic Hunting Threats That Use · 2020-06-30 · Developer/Trainer/Exec team - OISF CTO - Stamus Networks Twitter @pevmaPeter Manev - Twitter @regiteric ... •

SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated

EXPLOSIVE HANDLING SAFETY REVIEW TRAINING · 2020. 1. 24. · SAFETY REVIEW TRAINING 1/24/2020 STAMUS CONSULTING SERVICE LLC 1. EXPLOSIVES SAFETY STANDARDS COMPLIANCE 1/24/2020 STAMUS

Презентация PowerPoint - SURICON · From a fake wallet to a Java RAT Posted: January 18, 2017 Last updated: January 23, 2017 This malware came in a phishing e-mail —

Suricata Rule Taxonomy - 2020 SuriCon in Boston presented ... · Better Enhanced Teleological and Taxonomic Embedded Rules Key-Value pairs (with a teleological focus) Embedded into

overcoming TLS decrypting challenges - SURICON...- Using the servers private key ... • Provide the (right?!) server private key - PKCS#1 in PEM format without passphrase ... - Encrypted

Tools and Techniques to Simplify Suricata Performance Testing€¦ · TOOLS AND TECHNIQUES TO SIMPLIFY SURICATA PERFORMANCE TESTING SURICON 2019 JOE JOHNSON – PRINCIPAL SOFTWARE

So what cha want (?:to sig)? in Suri 4 - SURICON | 2020 SuriCon in ...€¦ · So what cha want (?:to sig)? in Suri 4.0 Travis Green, Francis Trudeau, Jack Mott, Jason Williams A

or years Collect British Stamus

Securing Security Tools - SuriCon 2016€¦ · QAtools: unittests,buildbot,etc. ... Securing Security Tools - SuriCon 2016 Author: Pierre Chifflier Created Date: 11/9/2016 11:28:17

TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM

Tellez Suricon Hunting Botnets Advanced Security Analytics · Suricata & Splunk Advanced Security Analytics Anthony Tellez, CISSP, CEH, CNDA ... UBA detects Advanced Cyberattacks

Suricata 2.0, Netfilter and the PRC - stamus-networks.com · Suricata 2.0, Netfilter and the PRC Éric Leblond Stamus Networks April 26, 2014 Éric Leblond (Stamus Networks) Suricata