observations on the modern nsm toolchest
play

Observations on the modern NSM toolchest Christian Kreibich - PowerPoint PPT Presentation

Mar 19, 2023 •258 likes •684 views

Observations on the modern NSM toolchest Christian Kreibich christian@lastline.com Bro4Pros, March 2016 1 About me 2 For the Bro oldtimers my fault 3 4 The open-source NSM toolchest... or ? 5 Background on Lastline 6 Lastline

  1. Observations on the modern NSM toolchest Christian Kreibich christian@lastline.com Bro4Pros, March 2016 1

  2. About me 2

  3. For the Bro oldtimers ← my fault 3

  4. 4

  5. The open-source NSM toolchest... or ? 5

  6. Background on Lastline 6

  7. Lastline is... ● A software platform for malware protection 7

  8. Lastline is... 8

  9. Linux & open-source everywhere ● Distribution based on Ubuntu packaging infrastructure, with added control ● MySQL, Cassandra, Hadoop, Ceph, RabbitMQ, ZeroMQ, Protobuf, Puppet, Ansible, Suricata, PF_RING, netmap, ... 9

  10. 10

  11. The Problem 11

  12. The Lastline Sensor needs to ... ● Match industry-standard signatures ● Parse a ton of protocols ● Carve files for analysis ● Match against blacklists ● Collect basic network telemetry (NetFlow, pDNS, …) ● Be modular & extensible ● Do a bunch of clever things I can’t talk about 12

  13. The Lastline Sensor needs to ... ● Match industry-standard signatures ● Parse a ton of protocols ● Carve files for analysis ● Match against blacklists ● Collect basic network telemetry (NetFlow, pDNS, …) ● Be modular & extensible ● Do a bunch of clever things I can’t talk about 13

  14. This doesn’t exist (as open-source) 14

  15. We have tools, but no toolchest Vortex, ... pf_ring netmap packetbricks pcap 15

  16. These tools don’t mix well Vortex, ... 16

  17. ? 17

  18. ? Nope. 18

  19. Wait, another Problem 19

  20. We keep implementing the same stuff 20

  21. Need a TCP reassembler? libnids: dead. Bro: ~3,000 lines with reusable core logic Snort: ~12,000 lines Suricata: ~10,000 lines (excluding unit tests) Wireshark: ~6,000 lines (excluding MPTCP) 21

  22. 22

  23. This also applies to signature matchers and protocol parsers 23

  24. It’s getting better, right? 24

  25. 25

  26. “Rewrite critical modules like TCP reassembly and HTTP inspection” 26

  27. Project Wishlist 27

  28. libreass ● (Okay, perhaps libtcp) ● A community-maintained TCP stream reassembler ● Including a testsuite of quirky TCP pcaps ● With bindings for popular languages ● Could also handle IP defrag or HTTP content-range 28

  29. libsigmatch ● A community-maintained signature matcher ● A de-facto community standard signature language ● Fun API challenge ● Pcap test library a plus 29

  30. libprotoparse ● A community-maintained protocol parser suite 30

  31. Oh wait... 31

  32. http://www.icir.org/hilti/ Modular, secure, reusable protocol parsing. 32

  33. Additional Thoughts 33

  34. Open-source release models matter ● Our mission is not to advance an open-source product. It is to advance our own product ● Working with a beta codebase to enjoy major fixes poses enormous risks ● Results in costly patch update rounds ● Supported stable releases increase adoption 34

  35. Licensing is really important ● Contagious licenses ensure open source ● Permissive licenses foster adoption ● Choose wisely! 35

  36. So... 36

  37. The open-source NSM toolchest... or ? 37

  38. The open-source NSM toolchest... or ? 38

  39. 39

  40. The open-source NSM toolchest 40

  41. To be fair: these are great tools 41

  42. Thanks! (btw, Lastline is hiring) Christian Kreibich christian@lastline.com @ckreibich 42

Recommend

THE TOOLCHEST PROJECT GUIDED BY CHRISTOPHER SCHWARZ (POPULARWOODWORKING.COM) GROUP COMPOSITION

THE TOOLCHEST PROJECT GUIDED BY CHRISTOPHER SCHWARZ (POPULARWOODWORKING.COM) GROUP COMPOSITION

THE TOOLCHEST PROJECT GUIDED BY CHRISTOPHER SCHWARZ (POPULARWOODWORKING.COM) GROUP COMPOSITION Initially four members expressed interest, but when we started with the first meeting, only two could make it. Eventually only Anzette

292 views • 14 slides
Fundamental Observations Pillars of Modern Cosmological Paradigm Universe is homogeneous and

Fundamental Observations Pillars of Modern Cosmological Paradigm Universe is homogeneous and

Fundamental Observations Pillars of Modern Cosmological Paradigm Universe is homogeneous and isotropic Night Sky is Dark Linear Expansion Light Element Abundances Microwave Background Radiation + Statistics of Large-Scale Structures

420 views • 41 slides
MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise and purify our thoughts like a strain picture, or a passage from the grander poets. It always does one good. 5 MODERN 6 MODERN 7 MODERN 8

524 views • 24 slides
Responsible use of cephalosporins experience and observations Valrie Thom as I FAH-Europe

Responsible use of cephalosporins experience and observations Valrie Thom as I FAH-Europe

Responsible use of cephalosporins experience and observations Valrie Thom as I FAH-Europe Statem ent IFAH Europe fully supports the global frame of responsible use notably for modern antibiotics Overall industry made very positive

377 views • 8 slides
Surface Observations We now look at some hourly surface observations to study the frontal

Surface Observations We now look at some hourly surface observations to study the frontal

Surface Observations We now look at some hourly surface observations to study the frontal passages which occurred in association with the November 10, 1998 storm. Time-traces of pressure, surface wind, temperature and dew- point, together with

412 views • 20 slides
H6751 Summary Zhao Rui Agenda 1. Modern AI 2. Course Summary Modern AI Modern AI

H6751 Summary Zhao Rui Agenda 1. Modern AI 2. Course Summary Modern AI Modern AI

H6751 Summary Zhao Rui Agenda 1. Modern AI 2. Course Summary Modern AI Modern AI (90s-present) Stat Model :Pearl (1988) promote Bayesian networks in AI to model uncertainty (based on Bayes rule from 1700) Stat Model: infer the

441 views • 11 slides
Wonders of Modern Architecture Oh, the wonders of modern architecture! The geniuses of

Wonders of Modern Architecture Oh, the wonders of modern architecture! The geniuses of

Wonders of Modern Architecture Oh, the wonders of modern architecture! The geniuses of architecture today continue to create design masterpieces that could make one proud of being a citizen of the 21st Century! Enjoy the beauty of these modern

832 views • 52 slides
Use of observations in data assimilation Grald Desroziers Mto-France, Toulouse, France

Use of observations in data assimilation Grald Desroziers Mto-France, Toulouse, France

Use of observations in data assimilation Grald Desroziers Mto-France, Toulouse, France Outline Introduction Optimizing observation error statistics Ensembles based on a perturbation of observations Impact of observations

318 views • 13 slides
Apprenticeships Modern Apprenticeships Tackling Scotlands skills gap Modern

Apprenticeships Modern Apprenticeships Tackling Scotlands skills gap Modern

Modern and Graduate Apprenticeships Modern Apprenticeships Tackling Scotlands skills gap Modern Apprenticeships help employers to develop their workforce by training new staff, and upskilling existing employees. For individuals, an MA is

532 views • 6 slides
OBSERVATIONS OF GRBs IN VERY HIGH ENERGY REGIME OBSERVATIONS OF GRBs IN VERY HIGH ENERGY REGIME

OBSERVATIONS OF GRBs IN VERY HIGH ENERGY REGIME OBSERVATIONS OF GRBs IN VERY HIGH ENERGY REGIME

OBSERVATIONS OF GRBs IN VERY HIGH ENERGY REGIME OBSERVATIONS OF GRBs IN VERY HIGH ENERGY REGIME Alessandro Carosi INAF/ASI Science Data Center & University of Siena title FENOMENOLOGY OF GRB: Disovered in 1973 by Vela satellites: 12 GRB in

497 views • 33 slides
Modern Defense Tooling Artificial intelligence as a defense platform Ameen Altajer Modern

Modern Defense Tooling Artificial intelligence as a defense platform Ameen Altajer Modern

Modern Defense Tooling Artificial intelligence as a defense platform Ameen Altajer Modern Defense Tooling A drastic change in the modern AI landscape The work of both DeepMind and OpenAI is a testament of how things drastically changed Modern

700 views • 15 slides
Modern Mississippi Chapters 10-11 MS state flag, seal and Coat of Arms Chp 10 &11 (Modern

Modern Mississippi Chapters 10-11 MS state flag, seal and Coat of Arms Chp 10 &11 (Modern

Modern Mississippi Chapters 10-11 MS state flag, seal and Coat of Arms Chp 10 &11 (Modern MS) 2 Chp 10 &11 (Modern MS) 3 Modern Mississippi Statistics As of the year 2000, MS had a population of 2,844,658. The largest city

1.09k views • 60 slides
Recent Highlights from AGN Observations with Fermi-LAT Observations with Fermi-LAT

Recent Highlights from AGN Observations with Fermi-LAT Observations with Fermi-LAT

Sep.12, 2009 JSPS meeting @Konan Univ. JSPS meet ng @Konan Un v. Recent Highlights from AGN Observations with Fermi-LAT Observations with Fermi-LAT Jun KATAOKA (/) on

658 views • 24 slides
Wrap-up Whats the output? What we heard Observations DNT and Policy

Wrap-up Whats the output? What we heard Observations DNT and Policy

Wrap-up Whats the output? What we heard Observations DNT and Policy and Beyond Observations EU cookie directive, legal aspects of behavioral targeting user studies: attitudes, usability, what do

297 views • 8 slides
Using Modern C++ In Anger Todd L. Montgomery @toddlmontgomery Aeron and C++? What

Using Modern C++ In Anger Todd L. Montgomery @toddlmontgomery Aeron and C++? What

StoneTor Using Modern C++ In Anger Todd L. Montgomery @toddlmontgomery Aeron and C++? What constitutes Modern C++ ? How Aeron Adopts Modern C++? What Lessons were learned? Whats Next ? Aeron and C++? Truly modern

2.03k views • 98 slides
CONSULTANT TEAM PRESENTATION ON PA SEPT 14 REVISED PLAN September 27, 2018 AGENDA

CONSULTANT TEAM PRESENTATION ON PA SEPT 14 REVISED PLAN September 27, 2018 AGENDA

CONSULTANT TEAM PRESENTATION ON PA SEPT 14 REVISED PLAN September 27, 2018 AGENDA Introduction High level Plan metrics Cross-Cutting Observations C&I Observations Residential Observations Low Income Observations

909 views • 31 slides
SURFACE, CLIMATE AND UPPER-AIR OBSERVATIONS & TRAINING OBSERVATIONS & TRAINING SYSTEM

SURFACE, CLIMATE AND UPPER-AIR OBSERVATIONS & TRAINING OBSERVATIONS & TRAINING SYSTEM

SURFACE, CLIMATE AND UPPER-AIR OBSERVATIONS & TRAINING OBSERVATIONS & TRAINING SYSTEM IN PAKISTAN MUHAMMAD TOUSEEF ALAM Director Pakistan Meteorological Department http://www.pakmet.com.pk http://www.pakmet.com.pk E mail :

651 views • 41 slides
http://cs224w.stanford.edu Observations Observations Models Models Algorithms Algorithms

http://cs224w.stanford.edu Observations Observations Models Models Algorithms Algorithms

CS224W: Social and Information Network Analysis Jure Leskovec, Stanford University http://cs224w.stanford.edu Observations Observations Models Models Algorithms Algorithms Small diameter, Small diameter, Erds Renyi model, Decentralized

735 views • 39 slides
50,000 Observations Later ! Thomas Blomseth Christiansen ! thomas@mymee.com ! @tblomseth !

50,000 Observations Later ! Thomas Blomseth Christiansen ! thomas@mymee.com ! @tblomseth !

! 50,000 Observations Later ! Thomas Blomseth Christiansen ! thomas@mymee.com ! @tblomseth ! Quantified Self Conference 2013 ! Showed & Told October 2011 ! At that time I had made 9400+ observations of my condition and my daily living since

445 views • 31 slides
LEO FRANK, PE JOE TUCKER, PE KENTUCKY CURVES KY Method - Empirical Observations and

LEO FRANK, PE JOE TUCKER, PE KENTUCKY CURVES KY Method - Empirical Observations and

LEO FRANK, PE JOE TUCKER, PE KENTUCKY CURVES KY Method - Empirical Observations and Mechanistic Analysis of those Observations Designs Based On Traffic Damage caused by one 18,000 lb axle load (ESALs) Damages not linear. One

94 views • 8 slides
Observations Parable of the Ten Virgins Be prepared for the day of the Lord -Each person has

Observations Parable of the Ten Virgins Be prepared for the day of the Lord -Each person has

Observations Parable of the Ten Virgins Be prepared for the day of the Lord -Each person has a limited amount of time Someone elses readiness or faith does you no good Observations Parable of the Talents We are responsible to do

452 views • 5 slides
Observations According to the guideliness of the project from 1st April to 30th April we made

Observations According to the guideliness of the project from 1st April to 30th April we made

Observations According to the guideliness of the project from 1st April to 30th April we made eleven observations of behaviour in relations adult - child. The research took place in various environments: supermarket, playground, railway

583 views • 20 slides
Meteorological Observations and Instrumental Systems for Meteorological services in Sri Lanka

Meteorological Observations and Instrumental Systems for Meteorological services in Sri Lanka

JMA/WMO WORKSHOP ON QUALITY MANAGEMENT IN SURFACE, CLIMATE AND UPPER-AIR N SU C , C N U OBSERVATIONS IN RA II (ASIA) Tokyo, Japan 27-30 July 2010 27-30 July 2010 Meteorological Observations and Instrumental Systems for Meteorological

522 views • 29 slides
EAPG IMPLEMENTATION OBSERVATIONS FROM THE FIRST SIX MONTHS February 15, 2018 Jackie

EAPG IMPLEMENTATION OBSERVATIONS FROM THE FIRST SIX MONTHS February 15, 2018 Jackie

EAPG IMPLEMENTATION OBSERVATIONS FROM THE FIRST SIX MONTHS February 15, 2018 Jackie Nussbaum, MHA, CPC, FHFMA Director jnussbaum@bkd.com AGENDA & OBJECTIVES Overview of EAPGs Observations & Reminders ODM & Managed

592 views • 28 slides

More recommend