Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Observations on the modern NSM toolchest
Christian [email protected]
Bro4Pros, March 20161
About me
2
For the Bro oldtimers
3
← my fault
4
The open-source NSM toolchest...
5
or ?
Background on Lastline
6
Lastline is...
7
● A software platform for malware protection
Lastline is...
8
Linux & open-source everywhere
9
● Distribution based on Ubuntu packaging infrastructure, with added control
● MySQL, Cassandra, Hadoop, Ceph, RabbitMQ, ZeroMQ, Protobuf, Puppet, Ansible, Suricata, PF_RING, netmap, ...
10
The Problem
11
The Lastline Sensor needs to ...
12
● Match industry-standard signatures● Parse a ton of protocols● Carve files for analysis● Match against blacklists● Collect basic network telemetry (NetFlow, pDNS, …)● Be modular & extensible● Do a bunch of clever things I can’t talk about
The Lastline Sensor needs to ...
13
● Match industry-standard signatures● Parse a ton of protocols● Carve files for analysis● Match against blacklists● Collect basic network telemetry (NetFlow, pDNS, …)● Be modular & extensible● Do a bunch of clever things I can’t talk about
This doesn’t exist(as open-source)
14
15
We have tools, but no toolchest
Vortex,...
netmap pcap pf_ringpacketbricks
16
These tools don’t mix well
Vortex,...
17
?
18
? Nope.
Wait, another Problem
19
We keep implementing the same stuff
20
Need a TCP reassembler?
libnids: dead.Bro: ~3,000 lines with reusable core logicSnort: ~12,000 linesSuricata: ~10,000 lines (excluding unit tests)Wireshark: ~6,000 lines (excluding MPTCP)
21
22
This also applies to signature matchers and
protocol parsers
23
It’s getting better, right?
24
25
26
“Rewrite critical modules like TCP
reassembly and HTTP inspection”
ProjectWishlist
27
libreass
28
● (Okay, perhaps libtcp)
● A community-maintained TCP stream reassembler
● Including a testsuite of quirky TCP pcaps
● With bindings for popular languages
● Could also handle IP defrag or HTTP content-range
libsigmatch
29
● A community-maintained signature matcher
● A de-facto community standard signature language
● Fun API challenge
● Pcap test library a plus
libprotoparse
30
● A community-maintained protocol parser suite
Oh wait...
31
http://www.icir.org/hilti/
Modular, secure,reusable protocol parsing.
32
http://www.icir.org/hilti/http://www.icir.org/hilti/
Additional Thoughts
33
Open-source release models matter
34
● Our mission is not to advance an open-source product. It is to advance our own product
● Working with a beta codebase to enjoy major fixes poses enormous risks
● Results in costly patch update rounds
● Supported stable releases increase adoption
Licensing is really important
35
● Contagious licenses ensure open source
● Permissive licenses foster adoption
● Choose wisely!
So...
36
The open-source NSM toolchest...
37
or ?
The open-source NSM toolchest...
38
or ?
39
40
The open-source NSM toolchest
41
To be fair: these are great tools
42
Thanks!
(btw, Lastline is hiring)
Christian Kreibich
[email protected]@ckreibich