Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hakuna Suricata (it means no worries, except for APT)

Published byAbel Boone Modified over 9 years ago

Similar presentations

Presentation on theme: "Hakuna Suricata (it means no worries, except for APT)"— Presentation transcript:

1 Hakuna Suricata (it means no worries, except for APT)
LS Pulsifer Surveillance Analyst 5 May 2014 1

2 Outline IDS Overview First Thoughts Rules of the Jungle HTTP GET
HTTP 200 OK BONUS ROUND! Conclusion 2

3 First Thoughts Easy Setup TURN ON ALL THE THINGS! Output format(s)
1400 (w/ comments) line config ET rules out of the box Rule management? TURN ON ALL THE THINGS! Output format(s) Fancy-lookin' rules

4 Rules of the Jungle # PULSIFER.CA / CATS TEST HTTP RULE
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"THE INTERNET WANTS CATS"; content:"GET"; http_method; content:"/cats.html"; http_uri; content:"pulsifer.ca"; http_header; content:”Windows NT 6.1”; http_user_agent; urilen:<11; classtype:bad-unknown; sid: ; rev:1;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"THE INTERNET GOT CATS"; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"iframe src"; http_server_body; classtype:bad-unknown; sid: ; rev:1;)

5 First Rule of the Jungle
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"THE INTERNET WANTS CATS"; content:"GET"; http_method; content:"/cats.html"; http_uri; content:"pulsifer.ca"; http_header; content:”Windows NT 6.1”; http_user_agent; urilen:<11; classtype:bad-unknown; sid: ; rev:1;) GET /cats.html HTTP/1.1 Host: pulsifer.ca User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/ Firefox/28.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive

6 Debug cont.. PACKET: C 29 DD B4 57 C CB 92 D )..W.` E. E DF F 0A 0D E7 P...%.C. D B3 A F4 76 B0 3A F1 3C 4A }...P.. v.:.<JP. FE ALERT CNT: ALERT MSG [00]: THE INTERNET WANTS CATS ALERT GID [00]: ALERT SID [00]: ALERT REV [00]: ALERT CLASS [00]: Potentially Bad Traffic ALERT PRIO [00]: 2 ALERT FOUND IN [00]: STATE ALERT IN TX [00]: 0 STREAM DATA LEN: STREAM DATA: ...

7 Second Rule of the Jungle
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"THE INTERNET GOT CATS"; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"iframe src"; http_server_body; classtype:bad-unknown; sid: ; rev:1;) HTTP/ OK Date: Tue, 06 May :12:05 GMT ... <!DOCTYPE html> <html> <body> <script> document.write('<iframe src="

8 First Rule Debug TIME: 05/05/2014-22:12:06.264225 PCAP PKT NUM: 8
PKT SRC: wire/pcap SRC IP: DST IP: PROTO: SRC PORT: DST PORT: TCP SEQ: TCP ACK: FLOW: to_server: TRUE, to_client: FALSE FLOW Start TS: /05/ :12: FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE FLOW ACTION: DROP: FALSE FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE FLOW APP_LAYER: DETECTED: TRUE, PROTO 1 FLOWBIT: ET.http.driveby.redkit.uri PACKET LEN:

9 Bonus Round! GUESS THE META! 05/05/ :13: [**] Query TX 214c [**] pulsifer.ca [**] A [**] : > :53 05/05/ :13: [**] Response TX 214c [**] Recursion Desired [**] :53 -> :50922 05/05/ :13: [**] Response TX 214c [**] pulsifer.ca [**] A [**] TTL [**] [**] :53 -> :50922 05/05/ :50: : > :993 TLS: Subject='serialNumber=tsWwnNhDJVx2sppFUBFdevYswWWbQOPg, OU=GT , OU=See (c)14, OU=Domain Control Validated - RapidSSL(R), CN=pulsifer.ca' Issuerdn='C=US, O=GeoTrust, Inc., CN=RapidSSL CA' SHA1='d1:0b:df:ca:39:a9:dc:50:79:cb:73:d0:0b:10:84:e9:92:e8:2d:fd' VERSION='TLSv1' 05/05/ :13: pulsifer.ca [**] /cats.html [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/ [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 156 bytes [**] : > :80 05/05/ :13: mjner.com [**] /update/ [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/ [**] [**] GET [**] HTTP/1.1 [**] 200 [**] 1123 bytes [**] : > :80

10 Conclusion

11

Download ppt "Hakuna Suricata (it means no worries, except for APT)"

Similar presentations

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
Passive Host Auditing Using Snort And Other Free Tools by John Ives aka. jives.

Passive Host Auditing Using Snort And Other Free Tools by John Ives aka. jives.
Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Web Platform Trident Browser Internet Explorer.

Web Platform Trident Browser Internet Explorer.
1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.

1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.
Chapter 9 Application Layer, HTTP Professor Rick Han University of Colorado at Boulder

Chapter 9 Application Layer, HTTP Professor Rick Han University of Colorado at Boulder
Security, Privacy and Encryption in Mobile Networks Gyan Ranjan Narus Inc. November 12, 2014 Narus Inc (A wholly owned subsidiary of the Boeing Company.)

Security, Privacy and Encryption in Mobile Networks Gyan Ranjan Narus Inc. November 12, 2014 Narus Inc (A wholly owned subsidiary of the Boeing Company.)
Web Platform Trident Navigateur Internet Explorer.

Web Platform Trident Navigateur Internet Explorer.
Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015.

Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015.
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
How to Detect a Client’s Browser Senior Seminar CS498.

How to Detect a Client’s Browser Senior Seminar CS498.
ECE-6612 Prof. John A. Copeland 404 894-5177 Office: Klaus 3362 or call.

ECE Prof. John A. Copeland Office: Klaus or call.
Identification of Mobile Devices from Network Traffic Measurements - a HTTP User Agent Method Master’s Thesis August 2 8, 2012 Supervisor – Prof. Heikki.

Identification of Mobile Devices from Network Traffic Measurements - a HTTP User Agent Method Master’s Thesis August 2 8, 2012 Supervisor – Prof. Heikki.
Web technologies and programming cse4461 - hypermedia and multimedia technology Fanis Tsandilas April 3, 2007.

Web technologies and programming cse hypermedia and multimedia technology Fanis Tsandilas April 3, 2007.
Archive-it WARC usage - compared with NAS – and 3 Questions. By Tue Hejlskov Larsen, netarchive.dk January 2015.

Archive-it WARC usage - compared with NAS – and 3 Questions. By Tue Hejlskov Larsen, netarchive.dk January 2015.
SUNY Polytechnic Institute CS 490 – Web Design, AJAX, jQuery Web Services A web service is a software system that supports interaction (requesting data,

SUNY Polytechnic Institute CS 490 – Web Design, AJAX, jQuery Web Services A web service is a software system that supports interaction (requesting data,
Basic Network Services IMT 546 – Lab 4 December 4, 2004 Agueda Sánchez Shannon Layden Peyman Tajbakhsh.

Basic Network Services IMT 546 – Lab 4 December 4, 2004 Agueda Sánchez Shannon Layden Peyman Tajbakhsh.
HTTP Reading: Section 9.1.2 and 9.4.3 COS 461: Computer Networks Spring 2013 1.

HTTP Reading: Section and COS 461: Computer Networks Spring
Application Layer 2 Figures from Kurose and Ross

Application Layer 2 Figures from Kurose and Ross

Similar presentations

Ads by Google