Every year, there are a few “must-attend” events that are fixtures on every security enthusiast’s calendar. Besides the obvious “big ones” such as the CCC congress or the big US shows, a smaller, more intimate event is of particular interest to the network visibility and monitoring community: SuriCon, the annual Suricata developers and users conference. Suricata is a high performance, open-source Network Intrusion Detection System (IDS ), Intrusion Prevention System (IPS) and Network Security Monitoring (NSM) engine that forms the basis of DCSO’s Threat Detection & Hunting (TDH) service.
Continuing a tradition from the very first year when DCSO was founded, a small group of NSM enthusiasts from DCSO’s TDH team went on a field trip to Vancouver, where this year’s SuriCon took place between November 14 and 16, 2018. This year, Pan Pacific Hotel Vancouver was chosen to be the venue, offering a spectacular view overlooking the Vancouver harbor and a spacious and comfortable home to the conference and its attendants.
Suricata development is backed by a community-run non-profit entity, the Open Information Security Foundation (OISF). To facilitate organizing an international conference without impacting funds needed to develop Suricata itself, OISF relies on community sponsorship for each SuriCon. For the first time in 2018, DCSO took part as a Community Partner sponsor, along with Intel and Google, to show ongoing support for the project and its excellent team.
SuriCon also always provides its attendees with the opportunity to improve their skills by offering various training courses that start two days before the actual conference. The majority of the DCSO team attended the “Advanced Deployment and Architecture” training course, given by Peter Manev and Eric Leblond from the Suricata core team. The 2-day training provided a thorough walkthrough of running a robust Suricata deployment at the peak of its possible performance, including its the more intricate details and powerful techniques such as “smart” rule supplements written in Lua or XDP-based bypass. We were impressed by how immediate feedback and discussions with the original developers can help to grasp not only the key points but the complete details as well. We would definitely recommend this training to anyone for whom Suricata’s default configuration may not be sufficient.
Another member of our team chose to attend the “Practical Signature Development” training. It was given by Jack Mott and Jason Williams from Emerging Threats, who are also part of the OISF core team, with a guest appearance byf Victor Julien, founder and lead developer of the Suricata software itself. He talked about the new rule features and syntax changes coming with Suricata version 4.1.x. The Emerging Threats team did a great job sharing their extensive experience in rule writing. Almost every part of Suricata’s complex rule language was covered during the two–day course. Starting with the basic rule syntax, going to hands-on examples of the most commonly used and supported application layer protocols (e.g. HTTP, DNS, SMB1/2/3, etc.), the participants were able to use even the most advanced features (e.g. xbits) in their rules. This was not only very helpful for the CTF challenge at the conference, but most of all provided an excellent foundation on which to start writing custom rules. After the training course, attendees are sure to leave with a thorough understanding of the rule language as well as the technical skills to write rules from a malware sample or pcap file and to test the resulting rules for functionality and performance. We would also definitely recommend this training to anyone who wants to start writing their own rules and use the full capabilities of Suricata’s rule language.
Over the course of the 3 days that made up the main conference, talks covered many topics ranging from new features and developments through to helpful tricks from the trenches to performance testing. 2018 also marked the first year featuring full video recording of all sessions, with the recordings planned to be released in late January after editing. Although the quality of all talks was excellent, we considered a couple of talks to be particularly notable taking our interests into account. We will briefly summarize them below.
In August 2018, the final version of TLS 1.3 was published (RFC 8446) and companies such as Cloudflare started to make it available to their customers. With this major update, the new version improves both the security and speed of encrypted connections. Anton Tyurin from Positive Technologies gave an overview of the changes (protocol messages, state machine and cryptographic parameters) and looked deeper into how the advancements will affect the detection of malicious communications even under TLS 1.3 as more parts of the protocols are now encrypted than before (e.g. certificate). Thanks to Mats Klepsland, Suricata 4.1.x now supports TLS 1.3 parsing and logging, but rule writers have to change their way of writing TLS rules with this new version. Watch the talk here: https://vimeo.com/310445194
Having the “best” NSM, IDS or IPS solution does not automatically mean having the best overall network security solution. If you cannot control the monitored traffic, it is very hard to handle every possible situation that could happen. Christoph Knott gave a very interesting talk that he called “The Dirty Meerkat: Operating Suricata in Load Balanced, Asymmetric Networks by Example”. Suricata works best with a clean, full-duplex traffic flow on a single wire, but this is difficult to have everywhere in today’s modern industrial environments and tap setups. The talk illustrated well how Suricata handles data loss caused by single sided network connections within flows and scrambled packets within network sessions. It also focused on rule writing and the necessary configuration changes with this kind of traffic. Watch the talk here: https://vimeo.com/310446439
Jason Ish introduced Suricata-Update, the (new) tool for updating your Suricata rules. Written purely in Python, it comes bundled with Suricata version 4.1.0 and later. Typically, Suricata setups have used Oinkmaster from the Snort ecosystem, but now Suricata has its own update engine. A core element of the Suricata update is the so called Suricata Intelligence Index, a list of public and commercial available rulesets for Suricata. By doing so, rule publishers can make their rules more discoverable by the Sruicata user base, making it easier for users to find new rules. Watch the talk here: https://vimeo.com/310437800
Eric Leblond gave an overview of new Linux kernel developments and what they will mean for Suricata performance on Linux in the future. His talk, “Why eBPF and XDP in Suricata Matters”, dealt with what these two technologies, XDP and eBPF, may hold for Suricata performance. The core idea behind XDP is to get the full network stack out of the way of packet processing as much as possible. XDP is built around a barebone packet transport that is optimized for speed. Whenever a decision needs to be made or a packet has to be modified, user-supplied programs written in the BPF language can be called using an XDP hook. It is obvious that, given the right instructions, this can be used, for instance, to implement bypass of uninteresting packets before having to waste userspace CPU cycles on them. Watch the talk here: https://vimeo.com/310459215
Another rather technical presentation dealt with sensor performance testing. In his talk on “Reproducible Performance Testing of Suricata on a Budget Using TRex”, Joe Johnson from Gigamon (formerly ICEBRG) presented an effective and cost-efficient way to test Suricata sensor setups under load using Cisco’s TRex software. TRex is an open source, low cost, stateful and stateless traffic generator based on the Data Plane Development Kit (DPDK). It generates layer 4-7 traffic based on pre-processing and smart replay of real traffic templates. The talk convincingly showed that high performance (multi-gigabit) real-time traffic simulation is possible on stock hardware without expensive third-party products. Having such testing setups at one’s disposal is a clear requirement for evidence-based tuning of sensor configurations for specific workloads and traffic mixes. Watch the talk here: https://vimeo.com/310448813
All talks are available as PDF files and video recordings at: https://suricon.net/highlights-from-suricon-2018/
In 2018, DCSO contributed to the conference program with a talk as well. In a brief presentation on “How to Train Your Meerkat: A Journey from Stock to Specialization”, Robert Haist and Sascha Steinbiss shared their experience collected over three years while developing a multi-customer NSM stack using Debian, Suricata and commodity server hardware, paying special attention to performance, ease of deployment, sensor management and monitoring. While presenting their approaches to common and less common challenges and target features (talk on Vimeo: https://vimeo.com/310457267), they also announced the release of various new open-source software tools, developed by DCSO:
- fever, a fast, extensible, versatile event router for Suricata’s EVE-JSON format (https://github.com/DCSO/fever)
- balboa, a server for indexing and querying passive DNS observations (https://github.com/DCSO/balboa)
- slinkwatch, a tool for automatic enumeration and maintenance of Suricata monitoring interfaces (https://github.com/DCSO/slinkwatch)
- ethflux, an InfluxDB data gatherer for ethtool-style network interface information (https://github.com/DCSO/ethflux) and last but not least
- bloom, a highly efficient Bloom filter library and command line tool written in Go (https://github.com/DCSO/bloom)
Suricata Roadmap and DCSO Commitments
SuriCon is also the usual venue for the annual Suricata feature roadmap brainstorming event, in which the future focus of Suricata development is discussed and progress made in terms of last year’s goals is tracked. We were pleased to see that many well-desired community requests have been addressed in the latest Suricata version 4.1 (see changelog) and many exciting new ideas were collected to shape the feature set of the next upcoming versions.
During SuriCon 2018, DCSO stated its commitment to contribute to the following activities around Suricata:
- Precise description of the EVE JSON format as a JSON schema as well as a set of software tools to help curate and verify this schema
- Improvement of hardware layer metadata detection
- Ongoing maintenance and support of Suricata and related software tools in the Debian operating system
All in all, we can report that SuriCon 2018 was another very rewarding and successful event, which brought together many bright people in the Suricata and infosec community for productive discussions and lots of fun. We are really looking forward to next year’s SuriCon, which will take place in Amsterdam.
Who we are
The Threat Detection & Hunting Team identifies ongoing cyber-attacks and supports our customers’ security teams in appropriately handling those threats.