Upload
others
View
45
Download
0
Embed Size (px)
Citation preview
Suricata IDPS and Nftables: The Mixed Mode
Giuseppe Longo
Stamus Networks
Jul 5, 2016
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60
Netfilter: Intro
NetfilterIt’s a framework, developed by Netfilter Organization, inside the Linuxkernel that enables packet filtering, network address translation, andother packet mangling.
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 2 / 60
nftables
What’s new?New filtering system
Replace {ip,ip6,arp,ebt}tablesNew userspace toolsCompatibility layers
A new languageBased on a grammarAccessible from a library
Netlink based communicationAtomic modificationNotification system
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 3 / 60
nft: userspace tool
New featuresTables and chainsExpressionsRulesSets and mapsDictionariesContenationsScripting
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 4 / 60
nft: tables
TablesContainer of chains with no specific semanticNo predefined table configuration anymoreNeed to add a table at least
Adding tablesnft add table [<family>] <name
Examplesnft add table ip foonft add table foonft add table ip6 bar
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 5 / 60
nft: chains
ChainsNo predefined chainsNeed to register base chains
Adding chainsnft add chain [<family>] <table-name> <chain-name> { type<type> hook <hook> priority <value> policy <policy> }
Examplenft add chain ip foo bar { type filter hook input priority 0 policydrop; }
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 6 / 60
nft: expressions
Comparison: eq, neq, gt, gte, lt, ltenft add rule ip foo bar tcp dport != 80
Rangenft add rule ip foo bar tcp dport 1-1024nft add rule ip foo bar meta skuid 1000-1100
Prefixesnft add rule ip foo bar ip daddr 192.168.10.0/24nft add rule ip foo bar meta mark 0xffffff00/24
Flagsnft add rule ip foo bar ct state new, established
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 7 / 60
nft: expressions (2)
Bitwise + Comparisonnft add rule ip foo bar ct mark and 0xffff == 0x123
Set valuenft add rule ip foo bar ct mark set 10nft add rule ip foo bar ct mark set meta mark
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 8 / 60
nft: rules
Counters are optional (unlike iptables)nft add rule ip foo bar counter
Several actions in one rulenft add rule ip foo bar ct state invalid log prefix "invalid: " drop
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 9 / 60
nft: sets
SetsBuilt-in generic set infrastructure that allows you to use anysupported selector to build setsThis infrastructure makes possible the representation ofdictionaries and mapsThe set elements are internally represented using performancedata structures such as hashtables and red-black trees
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 10 / 60
nft: set (2)
Anonymous setBound to a rule, if the rule is removed, that set is released tooThey have no specific name, the kernel internally allocates anidentifierThey cannot be updated. So you cannot add and delete elementsfrom it once it is bound to a rule
The following example shows how to create a simple setnft add rule ip foo bar tcp dport {22, 23} counter
This rule catches all traffic going on TCP ports 22 and 23, in case ofmatching the counters are updated
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 11 / 60
nft: set (3)
Named setYou can created the named sets with the following command
nft add set ip foo whitelist { type ipv4_addr }whitelist is the name of the set in this casetype option indicates the data type that this set stores (IPv4addresses in this case)current maximum name length is 16 characters
Fills the setnft add element ip foo whitelist { 192.168.0.1, 192.168.0.10 }
You can use it from the rule:nft add rule ip foo bar ip daddr @whitelist counter accept
The content of the set can be dynamically updated
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 12 / 60
nft: sets (4)
Supported data typesipv4_addr: IPv4 addressipv6_addr: IPv6 addressether_addr: Ethernet addressinet_proto: Inet protocol typeinet_service: Internet service (tcp port for example)mark: Mark type
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 13 / 60
nft: maps
MapsCan be used to look up for data based on some specific key that isused as inputInternally use the generic set infrastructure
Anonymous mapsThis example shows how the destination TCP port selects thedestination IP address to DNAT the packet
nft add rule ip nat prerouting dnat tcp dport map { 80 :192.168.1.100, 8888 : 192.168.1.101 }
This can be read as:if the TCP destination port is 80, then the packet is DNAT’ed to192.168.1.100if the TCP destination port is 8888, then the packet is DNAT’ed to192.168.1.101
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 14 / 60
nft: maps (2)
Named mapnft add map nat porttoip { type inet_service: ipv4_addr }nft add element nat porttoip { 80 : 192.168.1.100, 8888 :192.168.1.101 }nft add rule ip nat postrouting snat tcp dport map @porttoip
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 15 / 60
nft: dictionaries
DictionariesAlso known as verdict maps, allow you to attach an action to anelement
Anonymous dictionariesThis example shows how to create a tree of chains that whosetraversal depends on the layer 4 protocol type:
nft add rule ip foo bar ip protocol vmap { tcp : jump tcp-chain, udp: jump udp-chain, icmp : jump icmp-chain }
This rule-set arrangement allows you to reduce the amount of linearlist inspections to classify your packets
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 16 / 60
nft: dictionaries (2)
Named dictionariesnft add map filter mydict { type ipv4_addr : verdict }nft add element filter mydict { 192.168.0.10 : drop, 192.168.0.11 :accept }nft add rule filter input ip saddr vmap @mydict
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 17 / 60
nft: concatenations
ContenationsPermits put two or more selectors together to perform very fastlookups by combining them with sets, dictionaries and maps.
nft add rule ip filter input ip saddr . ip daddr . ip protocol { 1.1.1.1 .2.2.2.2 . tcp, 1.1.1.1 . 3.3.3.3 . udp } counter accept
In this example if the packet matches the source IP address ANDdestination IP address AND TCP destination port,nftables update the counter for this rule and then accepts the packet
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 18 / 60
nft: scripting
Scriptingnftables provides a native scripting environment to maintain the ruleset
Load the scriptnft -f ruleset.nft
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 19 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 19 / 60
Tables and Chains
TablesEach table has a specific purpose and chainsThere are 5 main built-in tables in iptablesIt’s not possible to add user-defined tables
ChainsEach chain has a specific purpose and contains a ruleset that isapplied on packets that traverse the chain
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 20 / 60
Tables
Filter tableUsed for filtering packetsWe can match packets and filter them in whatever way we maywantThis is the place that we actually take actions against packets
ACCEPTDROPLOGREJECT
Three built-in chains
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 21 / 60
Tables
Filter’s chainsINPUT
It’s used on all packets that are destined for the firewallFORWARD
It’s used on all non-locally generated packets that are not destinedfor our localhost
OUTPUTIt’s used for all locally generated packets
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 22 / 60
Tables
NAT tableIt’s used mainly for Network Address TranslationNATed packets get their IP addresses (or ports) altered, accordingto our rulesPackets in a stream only traverse this table onceWe assume that the first packet of a stream is allowedThe rest of the packets in the same stream are automaticallyNATted, Masqueraded, etc.
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 23 / 60
Tables
NAT’s chainsPREROUTING
It’s used to alter packets as soon as they get into the firewallOUTPUT
It’s used for altering locally generated packets before they get to therouting decision
POSTROUTINGIt’s used to alter packets just as they are about to leave the firewall
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 24 / 60
Tables
Mangle tableThis table is used mainly for mangling packetsAmong other things, we can change the content of differentpackets and some of their headersExamples
TTLToSMark
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 25 / 60
Tables
Mangle’s chainsPREROUTING
it’s used for altering packets just as they enter the firewall andbefore they hit the routing decision
POSTROUTINGit’s used to mangle packets just after all routing decisions havebeen made
INPUTit’s used to alter packets after they have been routed to thelocalhost itself, but before the userspace software sees the data
FORWARDit’s used to mangle packets after they have hit the first routingdecision, but before they actually hit the last routing decision
OUTPUTit’s used for altering locallty generated packets after they enter therouting decision
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 26 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 26 / 60
Rule
RuleA rule is a set of criteria with a target that specify the action to take
TargetACCEPT
the packet is accepted (it’s sent to the destination)DROP
the packet is dropped (it’s not sent to the destination)User-defined chain
another ruleset is executedRETURN
stops executing the next set of rules in the current chain for thispacket.The control will be returned to the calling chain
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 27 / 60
The RETURN target
Return targetA packet traverses chain1When rule3 matches thepacket, it is sent to chain 2The packet traverses chain2until is matched by rule2At this point, packet returns tochain1 and rule3 is not tested
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 28 / 60
Packet Path
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 29 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 29 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 29 / 60
Intro
About SuricataOpenSource (GPLv2) backed by OISFCross-platform support (primarily Linux and BSD)Stable versions 3.1 and 3.0.2Multi-threading and High PerformanceProtocol detection, file extraction, lua scriptingMany supported output formats like Eve/JsonHardware AccelerationReading PCAPsEmergingThreats ruleset supportSupport via IRC, Mailinglist, Redmine
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 30 / 60
About OISF
Open Information Security FoundationNon-profit foundationSupport for community-driven technology like Suricata and libhtpFunding comes from donationsOrganizations can become Consortium membersOrganizes SuriCon and Trainings (User and Developer)
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 31 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 31 / 60
Suricata: capture modes
IDSPCAP: multi OS captureAF_PACKET: Linux high performance on vanilla kernelNFLOG: Netfilter on Linux
IPSNFQUEUE: Netfilter on LinuxIPFW: Divert socket on FreeBSDAF_PACKET: Level 2 software bridge
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 32 / 60
Suricata: IDS
IDS behaviorSuricata receives traffic in chunks.
Once the ACK is sent, the chunks are reassembled, and sent to detectengine to inspect it.
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 33 / 60
Suricata: IPS
IPS behaviorIt inspects packets immediately before sending them to thereceiverPackets are inspected using the sliding window concept
It inspects data as they come in until the tcp connection is closed
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 34 / 60
Suricata: IPS
Sliding window conceptSuricata gets the first chunkand inspect itThen gets the second chunk,put it together with the first,and inspect itAt the end, gets the thirdchunk, cut off the first one, puttogether second chunk withthe third, and inspect it
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 35 / 60
Suricata: IPS
Inline modeNormally, we analyse data once we know they have been received bythe receiver, in term of TCP this means after it has been ACKed.In IPS it does not work like this, because the data have reached thehost that we protect.
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 36 / 60
Suricata: IPS
Stream in IPSIn inline mode, data is analysed before they have been ACKed.When Suricata receives a packet, it triggers the reassembly processitself.If the detection engine decides a drop is required, the packetcontaining the data itself can be dropped, not just the ACK.
As a consequence of inline mode, Suricata can drop or modify packetsif stream reassembly requires it.Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 37 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 37 / 60
Suricata: administrative side
SignaturesOn the administrative side, we must have signatures with a properaction in our ruleset.An action is a property of the signature which determines what willhappen when a signature matches the incoming, or outcoming, data.
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 38 / 60
Suricata: actions
Actions in IDS modePass
Suricata stops scanning the packet and skips to the end of all rules(only for this packet)
AlertSuricata fires up an alert for the packet matched by a signature
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 39 / 60
Suricata: actions
Actions in IPS modeDrop
If a signature containing a drop action matches a packet, this isdiscarded immediately and won’t be sent any furtherThe receiver doesn’t receive a message, risulting in a time-outconnectionAll subsequent packets of a flow are droppedSuricata generates an alert for this packetThis only concerns the IPS mode
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 40 / 60
Suricata: actions
Actions in IPS modeReject
This is an active rejection of the packet, both receiver and senderreceive a reject packetIf the packet concerns TCP, it will be a reset-packet, otherwise it willbe an ICMP-error packet for all other protocolsSuricata generates an alert tooIn IPS mode, the packet will be dropped as in the drop actionReject in IDS mode is called IDPS
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 41 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 41 / 60
Suricata: NFQUEUE
NFQUEUEIt is used in Suricata to work in IPS mode, performing actions onthe packet like DROP or ACCEPT.With NFQUEUE we are able to delegate the verdict on the packetto a userspace softwareThe Linux kernel will ask a userspace software connected to aqueue for a decision
Netfilter’s rulesnft add filter forward queue num 0iptables -A FORWARD -j NFQUEUE –queue-num 0
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 42 / 60
Suricata: NFQUEUE
Suricata and NFQUEUEcommunication
Incoming packet matched by arule is sent to Suricata throughnfnetlinkSuricata receives the packetand issues a verdictdepending on our rulesetThe packet is eithertransmitted or rejected bykernel
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 43 / 60
Suricata: NFQUEUE
NFQUEUE rulequeue-num
queue numberqueue-balance
packet is queued by the same rules to multiple queues which areload balanced
queue-bypasspacket is accepted when no software is listening to the queue
fail-openpacket is accepted when queue is full
batching verdictverdict is sent to all packets
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 44 / 60
Suricata: NFQUEUE
NFQUEUE considerationsNumber of packets on a single queue is limited due to the natureof netlink communicationBatching verdict can help but without an efficient improvementStarting Suricata with multiple queue could improve performance
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 45 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 45 / 60
Suricata: NFLOG
NFLOGIt is used in Suricata to work in IDS mode, NFLOG is for LOGgingSimilar to NFQUEUE but it only sends a copy of a packet withoutissuing a verdictThe communication between NFLOG and userspace software ismade through netlink
Netfilter’s rulenft add rule filter input ip log group 10iptables -A INPUT -j NFLOG –nflog-group 10
Group exceptionGroup 0 it’s used by kernel
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 46 / 60
Suricata: NFLOG
NFLOG rulenflog-group
number of the netlink multicast groupnflog-range <N>
number of bytes up to which the packet is copiednflog-threshold
if a packet is matched by a rule, and already N packets are in thequeue, the queue is flushed to userspace
nflog-prefixstring associated with every packet logged
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 47 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 47 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 47 / 60
Suricata: mixed mode
What is the mixed mode?It’s a feature that permits to get the traffic from different sources,giving us the possibility to choice different capture modes, likeNFQUEUE and NFLOG, and mix the IPS and IDS capabilitiesThe key point of mixed mode is the fact you decide on a perpacket basis if handle it as IDS or IPS
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 48 / 60
Suricata: mixed mode
MotivationThis mode gives us two advantages:
Having a mixed environmentWe may want to block some traffic, and inspect some
Technical simplificationWe could have an IPS/IDS system, as mixed mode, running manysuricata instances with different configuration files
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 49 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 49 / 60
Mixed mode: usage
ScenarioWeb server on 80: can’t block trafficRest of traffic is less sensitive
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 50 / 60
Mixed mode: usage
Netfilter rulesetWe want to be sure not to cut off a webserver, but we want toinspect port 80nftables
nft add rule filter forward tcp dport not 80 queue num 0nft add rule filter forward tcp dport 80 log group 2
iptablesiptables -A FORWARD -p tcp ! –dport 80 -j NFQUEUEiptables -A FORWARD -p tcp –dport 80 -j NFLOG –nflog-group 2
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 51 / 60
Mixed mode: usage
Suricata configuration
Suricata in mixed modesuricata -c suricata.yaml -q 0 –nflog -v
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 52 / 60
Mixed mode: usage
Scenario 2This time we want to send all traffic of an IP address from IDS toIPSLet’s suppose that we notice a suspiscious IP in the eve log fileand we want to block it
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 53 / 60
Mixed mode: usage
SolutionWe should add a rule to block the incoming traffic from this IP:
nft add rule filter input ip saddr 145.254.160.237 queue 0This solution is not very performing because if we want to blockanother IP address we need to add another identical rule
rules duplication
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 54 / 60
Mixed mode: usage
Solution improvementBuild a set containing all suspiscious IPs and block all incoming trafficfrom them.
nftables waynft add set filter suspisciousips {type ipv4_addr }nft add element filter suspisciousips {145.254.160.137}nft add rule filter input ip saddr @suspisciousips queue 0
iptables wayipset create suspisciousipsipset add suspisciousips 145.254.160.237iptables -A FORWARD -m set –set suspisciousips -j NFQUEUE–queue-num 0
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 55 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 55 / 60
Mixed mode: ninja usage
ScenarioWe are using Suricata on a gateway that inspects all incoming traffic,and in particular we want to block all SSH connections from fake SSHagents.
SolutionSuricata detects an SSH connection and log it to EVE log fileAdd the suspiscious IP to the set
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 56 / 60
Mixed mode: ninja usage
Deny On MonitoringWritten by Eric LeblondImplements a solution similar fail2banIt parses the Suricata EVE log file searching for SSH eventsif the client version is suspiscious, it adds the host to a blacklist byusing nftables or ipset
suspiscious: client version != libssh
ConsequenceSuricata will act as IPS on incoming connection from the suspisciousIPs detected by DOM
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 57 / 60
Rulesets
Netfilter ruleset (nftables)nft add set filter suspisciousips {type ipv4_addr}nft add rule filter input ip saddr @suspisciousips queue 0nft add rule filter input log group 2
Netfilter ruleset (iptables)iptables -A INPUT -m set –set suspisciousips -j NFQUEUE–queue-num 0iptables -A INPUT -j NFLOG –nflog-group 2
Suricata rulesetdrop tcp any any -> $SSH_SERVER any (msg:"Unexpected sshconnection"; sid:1234; rev:1234;)alert icmp any any -> $SSH_SERVER any (msg:"Ping fromunexpected client"; sid:5678; rev:5678;)
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 58 / 60
Results
Log examples
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 59 / 60
1 NetfilterNftablesTables and chainsRules
2 SuricataIntroIDS / IPSSignaturesNFQUEUENFLOG
3 Mixed ModeIntroductionUsageNinja usage
4 Conclusion
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 59 / 60
Question ?
Mixed modeCode not merged yetIt still requres some testingFeedback is appreciated
More informationSuricata: http://www.suricata-ids.org/Netfilter: http://www.netfilter.org/Stamus Networks: https://www.stamus-networks.com/
Contact meMail: [email protected]: @theglongohttps://www.stamus-networks.com
Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 60 / 60