Blog Masonry Full Width

Whitepaper: Introduction to eBPF and XDP support in Suricata

0

eBPF and XDP support is one of the latest evolutions of the Suricata engine’s performance capabilities. These two technologies have been introduced recently for the Linux kernel and Suricata is one of the first well established and mature projects to make use of them. eBPF was introduced in the Linux kernel to be able to run user provided code safely inside the Linux kernel and XDP is running eBPF code on the network data path, as close as possible to the Network Interface Card.

The initial support for eBPF and XDP was initially available in Suricata’s 4.1, released in November 2018, and it has been greatly enhanced in Suricata 5.0. The development team at Stamus Networks, lead by Éric Leblond, has been the primary developer of eBPF and XDP support within Suricata. The latest additions, list of features and potential use cases enabled by eBPF and XDP are becoming more significant, even vital, making this an opportune time to provide a high level overview for the community. This is the purpose of this article written by Éric Leblond and Peter Manev.

Download the whitepaper: Introduction to eBPF and XDP support in Suricata

Stamus Networks

Stamus Networks has created a Network Traffic Analyzer (NTA), which uses network communications as a foundational data source for detecting security events, and married it with an Intrusion Detection System (IDS), which provides deep packet inspection of network traffic using a rules based engine. The combination of these two approaches, done simultaneously in a single solution, provides a level of correlated data never previously achieved. We then added a Threat Hunting interface to allow security practitioners the ability to quickly and efficiently search through this security data to examine, validate, and resolve the security incidents that they face on a daily basis.

Suricata

Suricata is a free and open source, mature, fast and robust network threat detection engine.
The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.
Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.

Suricata’s fast paced community driven development focuses on security, usability and efficiency. The Suricata project and code is owned and supported by the Open Information Security Foundation (OISF), a non-profit foundation committed to ensuring Suricata’s development and sustained success as an open source project.

SELKS5 – The Sorceress

0

SELKS 5 is out! Thank you to the whole community for your help and feedback! Thank you to all the great Open Source projects and tools mentioned below for making it possible to showcase Suricata with this new release.

All components have been upgraded in this release to the latest version available but this is not the main improvement. SELKS is now able of doing Full Packet Capture thanks to Suricata and Moloch and benefit from an upgraded Scirius CE adding a new threat hunting interface.

Alert metadata in Scirius Hunting interface

Moloch addition allows the user to investigate and explore captured data via the Moloch viewer that provide an intuitive interface. The new Scirius threat hunting interface proposes a drill-down approach that allow to quickly find relevant alerts in a haystack and start investigation by what matter.

Features, fixes and major improvements:

  • The whole stack has been upgraded
    • Over 21 new dashboards
    • Hundreds of visualizations
    • New Threat Hunting interface
    • Full Packet Capture possibility
  • Elasticsearch 6.7.1
  • Logstash 6.7.1
  • Kibana 6.7.1
  • Moloch 1.8.0  –  The new SELKS makes use of Moloch and Moloch viewer to parse and view the full packet capture done by Suricata. Moloch comes with an arsenal of tools and features on its own like:
    • CyberChef
    • Extremely flexible and easy to use interface for FPC drill down, filtering, search and pcap export
  • Scirius 3.2.0 CE
      • Threat Hunting based on Suricata’s alerts metadata
      • Administration, ruleset and threat hunting management
      • Any field and action are selectable and searchable
      • Order and set up your own threat hunting dashboard in seconds with drag and drop functionality

TLS Server Name Identification

HTTP UserAgent selection

 

Easily select and filter on any metadata

Easily select and filter on any metadata

 

  • Suricata  – latest git edition anytime available.
  • SELKS scripts upgrade
    • available now system wide in “/usr/bin”
    • Full packet Capture retention policy – thanks Joren0494 !
    • selks-health-check_stamus  – SELKS health check script
  • Debian – always thankful !
  • EveBox – always the latest and very thankful for your support and extremely fast bug fixing and feature addition

More  screenshots of SELKS 5 release 

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

Download

To download SELKS 5, pick one of the two flavors:

SELKS with desktop
  • HTTP: SELKS-5.0-desktop.iso
  • Sha256sum: 60c52286df9d1d250efac3f24644bd5b59bf5728d2c50bd722d8e4c9e8ce2089
SELKS without desktop

Usage

You can find the first time set up instructions on our SELKS 5.0 wiki page.

SELKS 4 user can upgrade their running systems using the following Upgrade instructions.

Feedback is welcome

Any feedback as always is greatly appreciated! 🙂

Give us feedback and get help on:

While this test upgrade/installation has been verified and tested please make sure you try it in your test/QA set up first.

Thank you!

 

SELKS5 RC1 – Threat Hunting and more…

0

Hi!
Yet another upgrade of our SELKS. We are very thankful to all the great  Open Source projects and tools for making it possible to showcase Suricata with our new distro.
Features and fixes post SELKS 5 Beta :

  • Elasticsearch 6.5.3
  • Logstash 6.5.3
  • Kibana 6.5.3
  • Moloch 1.6.2  –  The new SELKS makes use of Moloch and Moloch viewer to parse and view the full packet capture done by Suricata. Moloch comes with an arsenal of tools and features on its own like:
    • CyberChef
    • Extremely flexible and easy to use interface for FPC drill down, filtering,search and pcap export
  • Scirius 3.1.0 CE
    • Administration, ruleset and threat hunting management
    • Blazing fast drill down and search capability through millions of events with milliseconds response time
    • Easy filter and grouping of alerts
    • Any field and action is selectable and searchable
    • Select or negate filter
    • Order and set up your own threat hunting dashboard in seconds with drag and drop functionality
    • Scirus Alerting rules event details

      Scirus Alerting rules event details

  • Suricata  – always latest git edition and features available.
  • SELKS scripts upgrade
    • available now system wide in “/usr/bin”
    • Full packet Capture retention policy – thanks Joren0494 !
  • Thank you for all the major community contributors form the community
  • Debian – always thankful !
  • EveBox – always the latest and very thankful for your support and extremely fast bug fixing and feature addition

Read more about the features and browse through screenshots of major SELKS 5 release 

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

Download

To download SELKS 5, pick one of the two flavors:

SELKS with desktop
  • HTTP: SELKS-5.0RC1-desktop.iso
  • MD5sum: 192aa38436dcee6c98a6ae36d9e3b7df
  • Sha1sum: f48c0fe1edaaa8817c0a9043cb29e3edee4af93e
  • Sha256sum: 9f55a9ff4ee5c4c3c67646d0d5ae4e343f01f6abaf8e433ee9e3e78426c2f3e7
SELKS without desktop
  • HTTP: SELKS-5.0RC1-nodesktop.iso
  • MD5sum: 27733887bd1ad20c61d9be4973a66074
  • Sha1sum: dde637f8639254879ada06b9b68e691c3c904748
  • Sha256sum: b32370a35785f336d863d763372820ec13987c3a83a974f26d849eb81f721f4f

Usage

You can find the start instruction including the initial setup script usage on SELKS 5.0 wiki page.

SELKS 4 user can upgrade their running systems using the following Upgrade instructions.

Feedback is welcome

Any feedback as always is greatly appreciated! 🙂

Give us feedback and get help on:

While this test upgrade/installation has been verified and tested please make sure you try it in your test/QA set up first.

Thank you!

 

SELKS5 Beta: new hunting interface and FPC

0

Hey! Our new and upgraded showcase for Suricata has just been released – SELKS5 Beta. Thanks to lots of help from the community and dev work we are pleased to announce the first beta release of our new SELKS5.

Our major new features and additions include :

  • Suricata IDS/IPS/NSM 4.1-dev – latest Suricata packaged with new and enabled features like
    • Full Packet Capture enabled on SELKS  – yes, Suricata can do FPC as well.
    • Rust enabled
      • new protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2
      • more possibility for file extraction – SMTP/HTTP/SMB/NFS/FTP
    • Hyperscan enabled for extra performance boost.
  • Major upgrade from Elasticsearch/Kibana/Logtsash (ELK) 5.x to the ELK 6 stack making available a ton of new features and enhancements.
  • Scirius 3.0
    • New Hunt interface allowing for fast drill down approach enabling of filtering out the noise and concentrating on threats in seconds
    • Grouped rules factorization via usage of IP reputation feature of Suricata

  • Evebox – bugfixes and parsing improvements.
  • Debian – our favorite OS
  • Moloch  –  The new SELKS makes use of Moloch and Moloch viewer to parse and view the full packet capture done by Suricata. Moloch comes with an arsenal of tools and features on its own like:
    • CyberChef
    • Extremely flexible and easy to use interface for FPC drill down, filtering,search and pcap export

As always we are very thankful to the above Open Source projects and tools for making it possible to showcase Suricata and our new distro

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

Download

To download SELKS 5, pick one of the two flavors:

SELKS with desktop
  • HTTP: SELKS-5.0beta1-desktop.iso
  • MD5sum: af4ae135dd60baea7183ac5bdb4a5863
  • Sha1sum: 878348effeefda387677002cb0d1aab529752ad3
  • Sha256sum: d6cf5e0bd583315e9b10229a1c73938087e3377997317ceed508fc55e5239c19
SELKS without desktop
  • HTTP: SELKS-5.0beta1-nodesktop.iso
  • MD5sum: 3bfbb8cf626f0f2979f02148c2bad4f5
  • Sha1sum: 80d0b855608ad458781478d1e2e9fd41c56b0c06
  • Sha256sum: 34019555e07e0cf47b3fb1e260f7c0b024553267338f02df8f949a1ef208741f

Usage

You can find the start instruction including the initial setup script usage on SELKS 5.0 wiki page.

SELKS 4 user can upgrade their running systems using the following Upgrade instructions.

Visual tour

Some visuals to give you a glimpse of the things you can do with SELKS.

Scirius landing page - Administer, Hunt, Search, Drill down and filter, Correlate events and FPC

Scirius landing page – Administer, Hunt, Search, Drill down and filter, Correlate events and FPC

21 ready to use Kibana dashboards consisting of over 200 visualizations

21 ready to use Kibana dashboards consisting of over 200 visualizations

Moloch Suricata Plugin

Moloch Suricata Plugin

Moloch and CyberChef navigation, drill down and display

Moloch and CyberChef navigation, drill down and display

TLS GeoIP and sni breakdown

TLS GeoIP and sni breakdown

TLS version and sni

TLS version and sni

TFTP GeoIp and events over time

TFTPGeoIp and events over time

SSH proto fields and geoIP visualizations

SSH proto fields and geoIP visualizations

SMTP Geoip events

SMTP Geoip events

SMB Proto fields

SMB Proto fields

SMB Alert trends

NFS protocol fields visualizations

NFS protocol fields visualizations

KRB5 protocol fields visualizations

KRB5 protocol fields visualizations

KRB5 alerts trending, sources and GeoIP

KRB5 alerts trending, sources and GeoIP

IKEv2 GeoIP and events trending

IKEv2 GeoIP and events trending

IKEv2 protocol fields break down

IKEv2 protocol fields break down

NSM and IDS time series

NSM and IDS time series

Rich HTTP details correlation and FPC

Rich HTTP details correlation and FPC

HTTP protocol data and GeoIP visualizations

HTTP protocol data and GeoIP visualizations

Fileinfo break don by protocols

Fileinfo break don by protocols

DNS protocol visualizations by fields

DNS protocol visualizations by fields

DNS Heat maps

DNS Heat maps

DNP3 event details correlation and FPC

DNP3 event details correlation and FPC

DNP3 protocol fields and sources info

DNP3 protocol fields and sources info

DHCP protocol fields visualizations, events correlation and FPC availability

DHCP protocol fields visualizations, events correlation and FPC availability

Application layer protocols breakdown

Application layer protocols breakdown

Application layer protocols breakdown -2

Application layer protocols breakdown -2

Application layer protocols breakdown -3

Application layer protocols breakdown -3

Per VLAN details and visualizations

Per VLAN details and visualizations

Per alert event details, metadata, correlation and FPC

Per alert event details, metadata, correlation and FPC

Helpful NSM birds eye views and selections

Helpful NSM birds eye views and selections

Alert event break down by protocol and GeoIP visualization

Alert event break down by protocol and GeoIP visualization

TrafficID

TrafficID

Moloch visualizations, easy filtering and drill down

Moloch visualizations, easy filtering and drill down

Moloch per flow/session visualizations, easy filtering and drill down

Moloch per flow/session visualizations, easy filtering and drill down

 

Feedback is welcome

Any feedback as always is greatly appreciated! 🙂

Give us feedback and get help on:

While this test upgrade/installation has been verified and tested please make sure you try it in your test/QA set up first.

Thank you!