the next generation open ids engine suricata and emerging threats
DESCRIPTION
The Next Generation Open IDS Engine Suricata and Emerging ThreatsMatt Jonkman,Open Information Security Foundation/Emerging Threats.netTRANSCRIPT
Open Information Security Foundation
Suricata, The Next Generation IPS
Balancing Open Security Softwarewith
Commercial Interests
Tuesday, August 3, 2010
Introduction
EmergingThreats.net
Open Information Security Foundation
OpenInfoSecFoundation.org
Tuesday, August 3, 2010
A Few Truths
Great Ideas Often Result from Open Collaboration
Tuesday, August 3, 2010
A Few Truths
Open Source Projects Don’tBecome Effective Complete
Products on Their Own
Tuesday, August 3, 2010
A Few Truths
Open Community HippiesDon’t Trust
Vendors
Tuesday, August 3, 2010
A Few Truths
VendorsDon’t Collaborate With
Open Community HippiesWell
Tuesday, August 3, 2010
A Few Truths
The MilitaryDoesn’t Trust
Open Community Hippies
Tuesday, August 3, 2010
A Few Truths
Vendors try to Reinventthe Wheel on EveryMilitary Contract
Tuesday, August 3, 2010
The Result
We have a
Hippie-Vendor-Mil Gap
Tuesday, August 3, 2010
Fixing it...
Tuesday, August 3, 2010
Fixing it...
(please don’t laugh)
Tuesday, August 3, 2010
Fixing it...
(please don’t laugh)
Tuesday, August 3, 2010
Fixing it...
(please don’t laugh)
We Involve The Government
Tuesday, August 3, 2010
Fixing it...
(please don’t laugh)
We Involve The Government
Tuesday, August 3, 2010
A Case Study
Tuesday, August 3, 2010
A Case Study
Intrusion Detection Systems
Tuesday, August 3, 2010
A Case Study
Intrusion Detection Systems12+ Years Old
Tuesday, August 3, 2010
A Case Study
Intrusion Detection Systems12+ Years Old
Open and Proprietary
Tuesday, August 3, 2010
A Case Study
Intrusion Detection Systems12+ Years Old
Open and ProprietaryProductized by EV
Tuesday, August 3, 2010
A Case Study
In the last 5 yearsNo Innovation.
Nada.Zilch.
Nothing.
Tuesday, August 3, 2010
A Case Study
“IDS is Dead.”
-Gartner
Tuesday, August 3, 2010
IDS
•Intrusion Detection Has Not:• Innovated• Gone Multi-Threaded• Integrated with other technologies• Risen to solve our new threats
Tuesday, August 3, 2010
Tuesday, August 3, 2010
OISF
Tuesday, August 3, 2010
OISF
Non-Profit Foundation
Tuesday, August 3, 2010
OISF
Non-Profit FoundationInitially DHS Funded
Tuesday, August 3, 2010
OISF
Non-Profit FoundationInitially DHS Funded
OSH, Mil, and EV Involvement
Tuesday, August 3, 2010
The Dirty Little Secret
Tuesday, August 3, 2010
The Dirty Little Secret
It’s working!
Tuesday, August 3, 2010
The Dirty Little Secret
It’s working!Why?
Tuesday, August 3, 2010
The Dirty Little Secret
Tuesday, August 3, 2010
The Dirty Little Secret
The OSH, EV, Consumers, Mil, and Government
Tuesday, August 3, 2010
The Dirty Little Secret
The OSH, EV, Consumers, Mil, and Government
ALL WANT THE SAME THING
Tuesday, August 3, 2010
The Dirty Little Secret
New IdeasConstant Innovation
Reliable ImplementationsEffective Support
Put their Kids through College
Tuesday, August 3, 2010
Consortium
Tuesday, August 3, 2010
Consortium
Vendors are part of a Consortium
Tuesday, August 3, 2010
Consortium
Vendors are part of a Consortium50/50 voting rights with the Community
Tuesday, August 3, 2010
Consortium
Vendors are part of a Consortium50/50 voting rights with the CommunitySupport required for a non-GPL license
Tuesday, August 3, 2010
OISF Consortium
Tuesday, August 3, 2010
Consortium
•Currently Bringing in 19 New Members•Global Defense Contractors...•Several Government Research Groups•Many CERTs•Universities•Security Vendors (that use other engines...)
Tuesday, August 3, 2010
The Engine
Tuesday, August 3, 2010
Features
Major Goals
Tuesday, August 3, 2010
Features
Multi-Threading
Tuesday, August 3, 2010
Features
Native IPv6 Support
Tuesday, August 3, 2010
Features
Snort Syntax
with additions
Tuesday, August 3, 2010
Features
Automatic Protocol Detection
Tuesday, August 3, 2010
Features
High Speed Regex
Tuesday, August 3, 2010
Features
Advanced HTTP Parsing
Tuesday, August 3, 2010
Features
Multiple Model
Statistical Anomaly Detection
Tuesday, August 3, 2010
Features
Native Hardware Acceleration Support
Tuesday, August 3, 2010
Features
GPU Acceleration
Tuesday, August 3, 2010
Features
IP Reputation
Distributed Blocking and Feedback
Tuesday, August 3, 2010
Features
Scoring Thresholds
Tuesday, August 3, 2010
Features
Very High Speed Regex
Tuesday, August 3, 2010
Features
In Stream File Extraction
Tuesday, August 3, 2010
Features
Web-Based Config Manager
Tuesday, August 3, 2010
Other Features
HTTP Access LoggingSMB Access/Action LoggingWindows INLINE SupportFull Windows SupportVirtual Environment SupportStopbadware.org URI MatchingPassive SSL Decryption
Tuesday, August 3, 2010
Features
Go ask your Commercial Vendor for any of that....
Tuesday, August 3, 2010
Status
Releases•Initial Stable Release, December 31, 2010•Second Stable Release, February 15, 2010•Phase One RC1, May 6, 2010 •Phase One Production, July 1, 2010
Tuesday, August 3, 2010
Get Involved
Brainstorming MeetingJuly 16, 2010San Francisco
Tuesday, August 3, 2010
Get InvolvedInterim Goals:Architecture DocumentationPerformance OptimizationRun Mode Support (Likely Endace completed)Error Code Cleanup and DocumentationFull Documentation (community interactable docs)Advanced Profiling and Engine statsAccuracy ImprovementsAdd Protocol Detections (SMTP, etc)Classifications Update2.8.6 CompatibilityLibHTP Error HandlingHeavy Inline Testing
Tuesday, August 3, 2010
Get Involved
Phase Two:Max Inspection TimeFile Capture in StreamREGEX Optimization/AccelLive Ruleset UpdatesFlow Logging (Netflow)Add Replace keyword supportHost attribute scrubbingURI Matching lookups (stopbadware, websense, etc)CUDA Support
Tuesday, August 3, 2010
Get Involved
Phase Two Team Two:IP Reputation - Explore other items, dns, etcDistributed Blocking Global Flowbits and flowvarsFull Stream CaptureTraffic Redirection
Tuesday, August 3, 2010
What We Need
Tuesday, August 3, 2010
What We Need
Consortium Members
Tuesday, August 3, 2010
What We Need
Consortium Members Coding Support
Tuesday, August 3, 2010
What We Need
Consortium Members Coding Support
Further Government/Mil Support
Tuesday, August 3, 2010
What We Need
Consortium Members Coding Support
Further Government/Mil Support
YOU!
Tuesday, August 3, 2010
Tuesday, August 3, 2010
Will you get involved?
Tuesday, August 3, 2010
Will you get involved?
Questions?
Tuesday, August 3, 2010
www.EmergingThreats.net
Tuesday, August 3, 2010