centric Prevention and detection based Assume you know all possible threats Signature based detection Some behavioral approach but not so common No feedback Opposite to threat centric approach
not SNORT ? Only solution for quite some time Which has an aging core (ok, v3 is out…) Support multi-threading Support for capture cards or PF_RING on commodity hardware 10Gb/s on Xeon with 8 cores GPU acceleration for regexp matching! who doesn’t have a GPU in their IDS nowadays?
would I use this ? Complimentary to commercial solution Write your custom rules newly published vulnerability malware infection ongoing incident response capitalize on previous attacks Threat centric approach
| PROTOCOL DETECTION Basic idea Look everywhere in the packet Not very fine-grained alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"looking everywhere for overflow"; flow:established; content:"|41 41 41 41|"; content:"|42 42|"; distance:0; classtype:shellcode-detect; sid:1; rev:1;)
| PROTOCOL DETECTION Next idea Specify ports What if $ADMIN changed default ports? alert tcp $EXTERNAL_NET any -> $HOME_NET [80, 8080] (msg:"looking for web requests"; flow:established; content:"GET /"; nocase; classtype:not-suspicious; sid:1; rev:1;)
| PROTOCOL DETECTION Better idea Specify protocol Let the engine detect it for you alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"looking for web requests"; flow:established; content:"GET"; http_method; nocase; classtype:not-suspicious; sid:1; rev:1;)
| PROTOCOL DETECTION Better idea What about the next one? alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"looking for web requests"; flow:established; content:“GET"; content:“POST"; http_method; nocase; classtype:not-suspicious; sid:1; rev:1;)
| PROTOCOL DETECTION Wait, TLS and SSH? Isn’t it encrypted? Not so fast, no TLS decryption on the fly Mainly allows to extract information Fingerprint IssuerDN …
| FILES Store all PDF files alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"PDF downloaded"; fileext:"pdf"; filestore; sid:1; rev:1;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"PDF downloaded"; filemagic:"PDF document"; filestore; sid:1; rev:1;)
ELK ElasticSearch Logstash Kibana Not really in that order Logstash : read logs and forward and/or transform ElasticSearch : indexed storage Kibana : web interface to ES
FINAL WORDS Things to keep in mind There are alternative to commercial tools Preconfigured distributions Incident response can benefit custom rules ELK stack becoming more and more used in DFIR