-
Observations on the modern NSM toolchest
Christian [email protected]
Bro4Pros, March 20161
-
About me
2
-
For the Bro oldtimers
3
← my fault
-
4
-
The open-source NSM toolchest...
5
or ?
-
Background on Lastline
6
-
Lastline is...
7
● A software platform for malware protection
-
Lastline is...
8
-
Linux & open-source everywhere
9
● Distribution based on Ubuntu packaging infrastructure, with
added control
● MySQL, Cassandra, Hadoop, Ceph, RabbitMQ, ZeroMQ, Protobuf,
Puppet, Ansible, Suricata, PF_RING, netmap, ...
-
10
-
The Problem
11
-
The Lastline Sensor needs to ...
12
● Match industry-standard signatures● Parse a ton of protocols●
Carve files for analysis● Match against blacklists● Collect basic
network telemetry (NetFlow, pDNS, …)● Be modular & extensible●
Do a bunch of clever things I can’t talk about
-
The Lastline Sensor needs to ...
13
● Match industry-standard signatures● Parse a ton of protocols●
Carve files for analysis● Match against blacklists● Collect basic
network telemetry (NetFlow, pDNS, …)● Be modular & extensible●
Do a bunch of clever things I can’t talk about
-
This doesn’t exist(as open-source)
14
-
15
We have tools, but no toolchest
Vortex,...
netmap pcap pf_ringpacketbricks
-
16
These tools don’t mix well
Vortex,...
-
17
?
-
18
? Nope.
-
Wait, another Problem
19
-
We keep implementing the same stuff
20
-
Need a TCP reassembler?
libnids: dead.Bro: ~3,000 lines with reusable core logicSnort:
~12,000 linesSuricata: ~10,000 lines (excluding unit
tests)Wireshark: ~6,000 lines (excluding MPTCP)
21
-
22
-
This also applies to signature matchers and
protocol parsers
23
-
It’s getting better, right?
24
-
25
-
26
“Rewrite critical modules like TCP
reassembly and HTTP inspection”
-
ProjectWishlist
27
-
libreass
28
● (Okay, perhaps libtcp)
● A community-maintained TCP stream reassembler
● Including a testsuite of quirky TCP pcaps
● With bindings for popular languages
● Could also handle IP defrag or HTTP content-range
-
libsigmatch
29
● A community-maintained signature matcher
● A de-facto community standard signature language
● Fun API challenge
● Pcap test library a plus
-
libprotoparse
30
● A community-maintained protocol parser suite
-
Oh wait...
31
-
http://www.icir.org/hilti/
Modular, secure,reusable protocol parsing.
32
http://www.icir.org/hilti/http://www.icir.org/hilti/
-
Additional Thoughts
33
-
Open-source release models matter
34
● Our mission is not to advance an open-source product. It is to
advance our own product
● Working with a beta codebase to enjoy major fixes poses
enormous risks
● Results in costly patch update rounds
● Supported stable releases increase adoption
-
Licensing is really important
35
● Contagious licenses ensure open source
● Permissive licenses foster adoption
● Choose wisely!
-
So...
36
-
The open-source NSM toolchest...
37
or ?
-
The open-source NSM toolchest...
38
or ?
-
39
-
40
The open-source NSM toolchest
-
41
To be fair: these are great tools
-
42
Thanks!
(btw, Lastline is hiring)
Christian Kreibich
[email protected]@ckreibich
