WEBVTT 00:00.000 --> 00:12.000 Okay, welcome everyone, so sorry, I've got a French name, but I'm very 00:12.000 --> 00:17.000 old French, the Dutch, which is Victor Julien, as the L-Fishu, and was not 00:17.000 --> 00:21.000 able to come. So I'm going to replace him for this talk, I'm 00:21.000 --> 00:26.000 really sorry for that. We'll end that Friday night, so we have to prepare 00:27.000 --> 00:33.000 the slide, so the slides are from Victor, I'm one of the most prolific 00:33.000 --> 00:38.000 surricata developers after Victor, working on it since 2009, 00:38.000 --> 00:42.000 on the slides are from Victor, and I'm going to work through that 00:42.000 --> 00:48.000 review. Yeah, so Victor is the original creator, 00:48.000 --> 00:52.000 and the current leader of surricata, his daily life is to lead the 00:53.000 --> 00:57.000 deaf team, being a sponsor for that by the OESF Foundation, 00:57.000 --> 01:01.000 which is being surricata. 01:01.000 --> 01:05.000 It's not coming from computer science background, it's more 01:05.000 --> 01:09.000 free software on two-yast that found some project, 01:09.000 --> 01:15.000 work on it, and create them. So it's first software 01:15.000 --> 01:18.000 that was a few years ago, to face on two, 01:18.000 --> 01:23.000 vermur, a nice, pitiful, so firewalling, management tool, 01:23.000 --> 01:27.000 that he did start to do in sea, I don't know what 01:27.000 --> 01:30.000 it's strange I did, but at least he learned sea, 01:30.000 --> 01:34.000 that was useful for him in the future, and it's still 01:34.000 --> 01:38.000 used, it makes some news, it's a good software. 01:38.000 --> 01:42.000 So then after a while, he discovered 01:43.000 --> 01:46.000 the snort, we have a snort too good. 01:46.000 --> 01:49.000 Where did he start to work on a snorting line that was 01:49.000 --> 01:55.000 a fork of snort, the ideas, the original signature base 01:55.000 --> 01:59.000 network ideas, and he did start to contribute 01:59.000 --> 02:03.000 to snorting line. The life with community, 02:03.000 --> 02:07.000 not the community of snorting line was okay, but the life 02:07.000 --> 02:10.000 of community of snorting line with 02:10.000 --> 02:14.000 a sofaya on snort, was kind of a problem. 02:14.000 --> 02:19.000 A lot of ideas were not accepted by a sofaya. 02:19.000 --> 02:22.000 I think, mostly because of that, 02:22.000 --> 02:26.000 it did start to work on Victor IPS, 02:26.000 --> 02:31.000 that was what was later, did became a surricata. 02:31.000 --> 02:34.000 So it did showcase that to mat, 02:34.000 --> 02:36.000 young man on the Whitt-Met-Calve. 02:36.000 --> 02:41.740 Early 2008, at lunch, we were thinking about 02:41.740 --> 02:45.560 O, they can build complete ideas, ideas, 02:45.560 --> 02:48.940 based on the code that was just started. 02:48.940 --> 02:51.060 But at the time, the code of snort was 02:51.060 --> 02:56.020 actually the three Android 50,000 lines of code. 02:56.020 --> 02:58.240 So by himself, we've got any funding, 02:58.240 --> 02:59.180 it will not work. 02:59.180 --> 03:02.920 But hopefully, we've found somebody 03:03.000 --> 03:06.200 that we were discussing with Fibs for us 03:06.200 --> 03:08.520 from a research institute in the US. 03:08.520 --> 03:11.960 And they set up a meeting with Omelan security 03:11.960 --> 03:15.320 on then, they got some funding, 03:15.320 --> 03:18.640 they did create the Open Information Security Foundation 03:18.640 --> 03:22.920 that did receive a funding on that just 03:22.920 --> 03:26.040 as an objective to develop an open source, 03:26.040 --> 03:27.800 GPLV2, ideas. 03:27.800 --> 03:34.160 So the funding from DHS, 03:34.160 --> 03:37.440 of Omelan, LVM2, start. 03:37.440 --> 03:43.200 But Omelan did this to remove money every year. 03:43.200 --> 03:49.000 So they had to find a sustainable way of getting 03:49.000 --> 03:52.440 the foundation on getting that money 03:52.440 --> 03:56.280 for the development. 03:56.280 --> 03:59.000 On the way, if you have done it, it's a consortium 03:59.000 --> 04:00.320 membership. 04:00.320 --> 04:06.120 You have to make driver for the consortium. 04:06.120 --> 04:09.520 Or because we consider that suricata is a common good 04:09.520 --> 04:10.600 that we want to protect. 04:10.600 --> 04:13.680 On the way, give money for that, for a sense, 04:13.680 --> 04:16.360 it's the case of massive French cyber security 04:16.360 --> 04:19.960 authority is giving money every year for suricata. 04:19.960 --> 04:25.520 And the other one are using, in fact, the fact, 04:25.520 --> 04:28.800 that suricata is GPL. 04:28.800 --> 04:31.280 So if you want to do your own business, 04:31.280 --> 04:33.640 by the modified suricata, you need to contribute 04:33.640 --> 04:36.440 the modification, or you need to pay OISF, 04:36.440 --> 04:39.200 and then you can have access to a double-layer essence, 04:39.200 --> 04:43.120 where you will be able to use in your proprietary product. 04:43.120 --> 04:47.040 So some of the consortium members are in this case. 04:47.040 --> 04:49.880 So as Monshine, suricata is open source. 04:49.880 --> 04:51.720 It's GPL D2. 04:51.720 --> 04:57.760 It's developed with GIT, the merge request on GitHub, 04:57.760 --> 05:04.040 but the management of suricata is done in my instance. 05:04.040 --> 05:06.880 And that's the most important thing. 05:06.880 --> 05:10.040 The discussion about the run map on this really 05:10.040 --> 05:11.200 about the community. 05:11.200 --> 05:14.360 So it may publicly, there is some virtual session 05:14.360 --> 05:17.240 on various also some community brainstorm session 05:17.240 --> 05:20.720 before the main event, which is suricone, 05:20.720 --> 05:22.880 the annual user, conference, next year, 05:22.880 --> 05:23.720 it's in Montreal. 05:23.720 --> 05:26.320 Fabius Laret was in Madrid. 05:26.320 --> 05:27.880 So that's the way it is working. 05:27.880 --> 05:31.720 So there is a tremendous amount of new features 05:31.720 --> 05:34.560 that are doing both over the years. 05:34.560 --> 05:37.400 Two suricata front-view community. 05:37.400 --> 05:40.320 Just come into welcoming community if you have somebody. 05:40.320 --> 05:42.680 Just don't hesitate to propose. 05:42.680 --> 05:47.320 So yeah, the initial idea was to do an ideas 05:47.320 --> 05:50.960 on then things have got wild, become wild. 05:50.960 --> 05:53.480 We have, it was simple. 05:53.480 --> 05:55.600 We have an ideas. 05:55.600 --> 05:58.400 So if you want to do an ideas that do 05:58.400 --> 06:03.040 easy analysis of traffic, you need to understand the protocol. 06:03.040 --> 06:05.640 If you understand the protocol, the application layer, 06:05.640 --> 06:08.440 it means that if you understand it, you can log it. 06:08.440 --> 06:10.440 So you can do an networks security monitoring. 06:10.440 --> 06:12.600 You can log all the transaction. 06:12.600 --> 06:14.280 On each you can log all the transaction, 06:14.280 --> 06:16.040 because you need to have a flow on giant 06:16.040 --> 06:20.120 to analyze the traffic, you can also log the net flow 06:20.120 --> 06:21.840 like entry, so in season. 06:21.840 --> 06:24.560 So you can have a continuing on networking flow. 06:24.560 --> 06:26.480 On because you see all the packets, 06:26.480 --> 06:29.960 you can also log the packet to the dice. 06:29.960 --> 06:31.800 So you can do the full packet capture. 06:31.800 --> 06:35.400 Or you can do a suricata seven conditionals. 06:35.400 --> 06:38.640 Pick up capture, where you are just going to capture 06:38.640 --> 06:40.600 the traffic on the same condition. 06:40.600 --> 06:43.200 And because you understand the application layer well, 06:43.200 --> 06:45.680 in a lot of application layer, there is file transfer. 06:45.680 --> 06:49.120 So you can store the file on disk, on the strike, the file 06:49.120 --> 06:52.120 on demand. 06:52.120 --> 06:55.440 A new use case for suricata, that is being 06:55.440 --> 06:59.000 more and more active recently, is the user of suricata 06:59.000 --> 07:02.920 as a firewall, because it works in IPS mode. 07:02.920 --> 07:09.960 Because it has access to the data on to the application 07:09.960 --> 07:12.880 layer, where you can build some i-level policy 07:12.880 --> 07:16.760 in terms of filtering, so there is some usage in AWS, 07:16.760 --> 07:21.400 of suricata as a firewall on you can write your own filtering 07:21.400 --> 07:25.240 rule, which are in fact, suricata signature, 07:25.240 --> 07:30.800 to allow a specificity what you want. 07:30.800 --> 07:36.920 So we figure to the activity in terms of development. 07:36.920 --> 07:42.960 Major part of a development is on the OESF development team, 07:42.960 --> 07:46.280 and there is also some organization that contribute 07:46.280 --> 07:49.680 on the resource of some individual contributors. 07:49.680 --> 07:52.680 On some intern, I would like to mention our 3D project, 07:52.680 --> 07:57.160 that is an awesome organization that promote 07:57.160 --> 08:00.840 a diversity in the open source world. 08:00.840 --> 08:03.360 So in terms of commit, there is some organization 08:03.360 --> 08:06.800 that are committing to suricata 8, something like 11. 08:06.800 --> 08:08.400 There is a lot of individual that 08:08.400 --> 08:12.160 did contribute to a new version. 08:12.160 --> 08:17.360 And if you look at the part of war that has been done by OESF 08:17.360 --> 08:22.760 on the latest work in progress, we got around 85% of the commit 08:22.760 --> 08:27.600 that have been done by the foundation. 08:27.600 --> 08:32.640 There is a set of challenges linked to working with suricata 08:32.640 --> 08:35.000 on using suricata, one is on encryption, 08:35.000 --> 08:37.920 when we got the traffic volume that we generate, 08:37.920 --> 08:41.040 on what we need to ingest, also, on the alert fatigue 08:41.040 --> 08:43.320 to many events, or do we do it with that. 08:43.320 --> 08:46.880 On the deployment that be also very challenging. 08:46.880 --> 08:49.440 So one of the challenges on encryption 08:49.440 --> 08:51.560 forms to less on crypt, mostly where 08:51.560 --> 08:55.760 when from almost no encryption to 95% of encryption 08:55.760 --> 08:58.920 on the traffic on internet, that's perfect for privacy, 08:58.920 --> 09:02.440 but for security in network analysis, 09:02.440 --> 09:04.480 that's more a problem. 09:04.480 --> 09:09.280 So the way suricata is on the lead is by doing 09:09.280 --> 09:13.640 a analysis of non-chiptic part of a traffic, 09:13.640 --> 09:16.160 which I'll owe it to extra information 09:16.160 --> 09:18.040 just to have a certain indication of OESF, 09:18.040 --> 09:20.680 the certificate, fingerprint technique, 09:20.680 --> 09:22.680 just as GF4, GS3. 09:22.680 --> 09:27.800 And but once it's done, what's remaining is to work 09:27.800 --> 09:30.800 with the encryption system. 09:30.800 --> 09:32.800 So on by getting the traffic from van, 09:32.800 --> 09:35.440 on via, we're going to see a bit later, 09:35.440 --> 09:37.720 where no have a library for suricata, 09:37.720 --> 09:39.960 so using the Lyps suricata inside the product 09:39.960 --> 09:41.080 that does the description. 09:41.080 --> 09:42.360 The decryption, sorry. 09:42.360 --> 09:46.400 The traffic volume, we have seen VPP talk before 09:46.400 --> 09:49.040 with where we are suffering for the same thing. 09:49.040 --> 09:51.280 We need to analyze super fast, 09:51.280 --> 09:55.280 the traffic, we're talking about a single suricone 09:55.280 --> 09:58.040 where the demo for Android, 09:58.040 --> 10:02.400 the year by the second on one single server. 10:02.400 --> 10:05.440 So that's something that we need to deal with. 10:05.440 --> 10:06.640 On what we can deal with, 10:06.640 --> 10:08.640 scalability, we have humidity threaded, 10:08.640 --> 10:12.080 threading, as a work, as it really improved. 10:12.080 --> 10:16.920 And yes, but also, if you have 10:16.920 --> 10:21.160 this moment of traffic, any signature 10:21.160 --> 10:23.720 that do an analysis, but it's too costly, 10:23.720 --> 10:25.480 we're going to kill the enzyme, 10:25.480 --> 10:28.720 so being able to control that is a key point. 10:28.720 --> 10:32.360 Another fatigue, too many ideas event, 10:32.360 --> 10:36.080 with 10 gigabit, one week is around 10 million 10:36.080 --> 10:42.080 ideas event, so you need to have post processing, 10:42.080 --> 10:45.400 you need to be sure that you have not too much false positive. 10:45.400 --> 10:48.440 So improving the quality of the route is a key point, 10:48.440 --> 10:51.480 so this can be made via better keywords, 10:51.480 --> 10:54.600 and this can be made by helping the rule writer. 10:54.600 --> 10:57.600 And it's also something that you need to be able to do 10:57.600 --> 10:59.400 is to be able to classify. 10:59.400 --> 11:01.280 So for that, there is two key things. 11:01.280 --> 11:04.600 One is the fact that when you are writing a signature, 11:04.600 --> 11:08.320 you can have metadata, vatrich, the alert event, 11:08.320 --> 11:10.600 which means that you can contextualize everything 11:10.600 --> 11:12.680 that has been generated efficiently. 11:12.680 --> 11:15.920 On, you can also have all the application layer 11:15.920 --> 11:19.240 or metadata, vatrich, the suricata alert, 11:19.240 --> 11:23.000 which I'll show you to know which server it was, 11:23.000 --> 11:25.800 which application layer protocol information we have, 11:25.800 --> 11:30.160 the just TLS SMB, HTTP and stuff like that. 11:30.160 --> 11:36.360 And on the road map part, sorry, one of the big things 11:36.360 --> 11:39.920 is to improve extendability of software. 11:39.920 --> 11:43.360 First thing is lib suricata, so basically, 11:43.360 --> 11:46.720 you can plug suricata on any packet source 11:46.720 --> 11:48.640 on any other software. 11:48.640 --> 11:51.200 That's the goal here. 11:51.200 --> 11:53.520 And on the other side, some of the features 11:53.520 --> 11:56.160 we may not want to have 20, 20 years suricata, 11:56.160 --> 11:57.680 so there is a plugin and infrastructure 11:57.680 --> 12:00.480 that is in the making to be able to connect 12:00.480 --> 12:04.480 to suricata, and under the traffic from vat, 12:04.480 --> 12:07.120 so we need to add hooks inside suricata, 12:07.120 --> 12:10.320 up to the point we can have access to some internal, 12:10.320 --> 12:12.560 for instance, left to develop a GF4. 12:12.560 --> 12:16.360 And then, the U.S. support improvement, 12:17.280 --> 12:19.920 things is that the U.S. come from the build, 12:19.920 --> 12:23.640 so we need to vandor, lua, to be able to have a lua 12:23.640 --> 12:25.360 that come with a version of suricata, 12:25.360 --> 12:27.760 so vat has been done for suricata eight. 12:27.760 --> 12:31.800 And then, when you ingest the signature 12:31.800 --> 12:34.600 that can call a lua script, 12:34.600 --> 12:36.600 it means that they can do almost anything. 12:36.600 --> 12:40.360 So some bugs in vat, that's something you need to know 12:40.360 --> 12:42.960 because now signature can come from everywhere, 12:42.960 --> 12:45.000 so you need to take vat into consideration. 12:47.240 --> 12:51.360 One big change, if you have here some rule writer here, 12:51.360 --> 12:55.200 that is coming with suricata eight is the bidirectional rules. 12:55.200 --> 12:58.720 So you will be able to match on a request, 12:58.720 --> 13:00.320 on a match, on a response. 13:00.320 --> 13:02.400 So if I see vat in the response, 13:02.400 --> 13:05.320 on if in a request, on even response, 13:05.320 --> 13:07.840 confirm that my first hypothesis was correct, 13:07.840 --> 13:11.560 that for instance, the exploit has been really made, 13:11.560 --> 13:12.920 you can do vat in one single rule, 13:12.920 --> 13:15.480 that's really a key somewhere. 13:15.480 --> 13:20.480 And then there is also some work on making it homogeneous 13:20.600 --> 13:22.520 between the log on the keywords. 13:22.520 --> 13:24.920 There is something that are logged in suricata 13:24.920 --> 13:26.960 where we have no keyword to match on. 13:26.960 --> 13:29.440 So what we want is to bring everything to parity. 13:31.480 --> 13:35.600 We got some new protocol, so LDIP is one of the biggest one. 13:35.600 --> 13:38.440 We also got a little bit lower level with ARP. 13:39.440 --> 13:43.520 We got some improvement SMB on some super for a student. 13:43.520 --> 13:47.440 And then what we have also is a big move on request. 13:47.440 --> 13:51.520 So we switch from the beginning of a project 2017-16% 13:51.520 --> 13:56.520 of first eight years later, we are 20% of first, 13:56.520 --> 13:58.920 which is a good thing for the security. 13:58.920 --> 14:00.960 We're using non-the library to help us 14:00.960 --> 14:02.760 to mostly protocol parser, 14:02.760 --> 14:06.640 but it starts to do issues almost everywhere. 14:06.640 --> 14:12.640 On suricata timeline, we are going to have the first initial 14:12.640 --> 14:16.080 bit of release in April on the way 14:16.080 --> 14:20.800 expect to have release end of spring beginning of summer. 14:22.000 --> 14:24.640 On one thing to mention, it's that OESF is doing a lot 14:24.640 --> 14:28.400 of work around tracking the run map. 14:28.400 --> 14:31.720 So there is also more map website where you can have a clear view 14:31.720 --> 14:36.720 of what is happening, and so you can really see the progress. 14:36.720 --> 14:42.520 So that's really the being on just 8,000 line moved 14:42.520 --> 14:45.360 and changed in suricata 8, till now, 14:45.360 --> 14:47.760 that will be the big release. 14:47.760 --> 14:52.120 So join the discussion. 14:52.120 --> 14:56.000 If you have interest in network packet analysis, 14:56.000 --> 14:58.560 in security, join the discussion 14:58.560 --> 15:01.960 because a lot of features in suricata 15:01.960 --> 15:04.200 are coming from contributors, some really 15:04.200 --> 15:06.760 a main one are coming from contributors. 15:06.760 --> 15:08.560 That's really what you listen to people, 15:08.560 --> 15:12.400 discuss with people, a lot of people at OESF 15:12.400 --> 15:14.160 are pure software developers. 15:14.160 --> 15:16.040 So if you have security concerns, 15:16.040 --> 15:19.320 because of your work, just come to us, discuss with us 15:19.320 --> 15:22.720 and it will improve overall situation. 15:22.720 --> 15:24.760 A very sobering session that suricata 15:24.760 --> 15:26.760 on virtual, on the canopone feature tickets, 15:26.760 --> 15:28.240 if you have summer ID. 15:28.240 --> 15:32.560 On it, to 25, suricata 8, suricata in Montreal, CFP, 15:32.560 --> 15:35.480 is coming soon, on the ESF, you got it? 15:35.480 --> 15:51.720 Thank you very much.