Presentation is loading. Please wait.

Presentation is loading. Please wait.

Standardized flow hashing for all your NSM tools

Published byRaili Pirkko Salonen Modified over 6 years ago

Similar presentations

Presentation on theme: "Standardized flow hashing for all your NSM tools"— Presentation transcript:

1 Standardized flow hashing for all your NSM tools
Community ID Standardized flow hashing for all your NSM tools Christian Kreibich @ckreibich

2 Typical BroZeek log entries
conn.log { "ts": , "uid":"CVKjZo2GrV8DM0Fvo5", "id.orig_h":" ", "id.orig_p":3051, "id.resp_h":" ", "id.resp_p":80, "proto":"tcp", "service":"http", "duration": , ... } http.log { "ts": , "uid":"CVKjZo2GrV8DM0Fvo5", "id.orig_h":" ", "id.orig_p":3051, "id.resp_h":" ", "id.resp_p":80, "trans_depth":1, "method":"GET", "uri": ..., "request_body_len": 0, ... }

3 Typical BroZeek log entries
conn.log { "ts": , "uid":"CVKjZo2GrV8DM0Fvo5", "id.orig_h":" ", "id.orig_p":3051, "id.resp_h":" ", "id.resp_p":80, "proto":"tcp", "service":"http", "duration": , ... } http.log { "ts": , "uid":"CVKjZo2GrV8DM0Fvo5", "id.orig_h":" ", "id.orig_p":3051, "id.resp_h":" ", "id.resp_p":80, "trans_depth":1, "method":"GET", "uri": ..., "request_body_len": 0, ... }

4 Typical BroZeek log entries
conn.log { "ts": , "uid":"CVKjZo2GrV8DM0Fvo5", "id.orig_h":" ", "id.orig_p":3051, "id.resp_h":" ", "id.resp_p":80, "proto":"tcp", "service":"http", "duration": , ... } http.log { "ts": , "uid":"CVKjZo2GrV8DM0Fvo5", "id.orig_h":" ", "id.orig_p":3051, "id.resp_h":" ", "id.resp_p":80, "trans_depth":1, "method":"GET", "uri": ..., "request_body_len": 0, ... } w00t!

5 Typical Suricata log entries (eve.json)
{ "timestamp": " T07:51...", "flow_id": , "event_type": "http", "src_ip": " ", "src_port": 3051, "dest_ip": " ", "dest_port": 80, "proto": "TCP", "tx_id": 0, "http": { "http_port": 0, "url": "/scripts/..%c1%9c../...", "http_method": "GET", "length": 0 } { "timestamp": " T07:51...", "flow_id": , "pcap_cnt": 10, "event_type": "alert", "src_ip": " ", "src_port": 3051, "dest_ip": " ", "dest_port": 80, "proto": "TCP", "alert": { "action": "allowed", "gid": 1, "signature_id": , "rev": 1, "signature": "PWNED!", "category": "Misc activity", ... }

6 Typical Suricata log entries (eve.json)
{ "timestamp": " T07:51...", "flow_id": , "event_type": "http", "src_ip": " ", "src_port": 3051, "dest_ip": " ", "dest_port": 80, "proto": "TCP", "tx_id": 0, "http": { "http_port": 0, "url": "/scripts/..%c1%9c../...", "http_method": "GET", "length": 0 } { "timestamp": " T07:51...", "flow_id": , "pcap_cnt": 10, "event_type": "alert", "src_ip": " ", "src_port": 3051, "dest_ip": " ", "dest_port": 80, "proto": "TCP", "alert": { "action": "allowed", "gid": 1, "signature_id": , "rev": 1, "signature": "PWNED!", "category": "Misc activity", ... }

7 Typical Suricata log entries (eve.json)
ALSO w00t! { "timestamp": " T07:51...", "flow_id": , "event_type": "http", "src_ip": " ", "src_port": 3051, "dest_ip": " ", "dest_port": 80, "proto": "TCP", "tx_id": 0, "http": { "http_port": 0, "url": "/scripts/..%c1%9c../...", "http_method": "GET", "length": 0 } { "timestamp": " T07:51...", "flow_id": , "pcap_cnt": 10, "event_type": "alert", "src_ip": " ", "src_port": 3051, "dest_ip": " ", "dest_port": 80, "proto": "TCP", "alert": { "action": "allowed", "gid": 1, "signature_id": , "rev": 1, "signature": "PWNED!", "category": "Misc activity", ... }

8 Typical BroZeek-and-Suricata log entries
{ "ts": , "uid":"CVKjZo2GrV8DM0Fvo5", "id.orig_h":" ", "id.orig_p":3051, "id.resp_h":" ", "id.resp_p":80, "proto":"tcp", "service":"http", "duration": , ... } { "timestamp": " T07:51...", "flow_id": , "pcap_cnt": 10, "event_type": "alert", "src_ip": " ", "src_port": 3051, "dest_ip": " ", "dest_port": 80, "proto": "TCP", "alert": { "action": "allowed", "gid": 1, "signature_id": , "rev": 1, "signature": "PWNED!", "category": "Misc activity", ... }

9 Typical BroZeek-and-Suricata log entries
{ "ts": , "uid":"CVKjZo2GrV8DM0Fvo5", "id.orig_h":" ", "id.orig_p":3051, "id.resp_h":" ", "id.resp_p":80, "proto":"tcp", "service":"http", "duration": , ... } { "timestamp": " T07:51...", "flow_id": , "pcap_cnt": 10, "event_type": "alert", "src_ip": " ", "src_port": 3051, "dest_ip": " ", "dest_port": 80, "proto": "TCP", "alert": { "action": "allowed", "gid": 1, "signature_id": , "rev": 1, "signature": "PWNED!", "category": "Misc activity", ... }

10 Typical BroZeek-and-Suricata log entries
{ "ts": , "uid":"CVKjZo2GrV8DM0Fvo5", "id.orig_h":" ", "id.orig_p":3051, "id.resp_h":" ", "id.resp_p":80, "proto":"tcp", "service":"http", "duration": , ... } { "timestamp": " T07:51...", "flow_id": , "pcap_cnt": 10, "event_type": "alert", "src_ip": " ", "src_port": 3051, "dest_ip": " ", "dest_port": 80, "proto": "TCP", "alert": { "action": "allowed", "gid": 1, "signature_id": , "rev": 1, "signature": "PWNED!", "category": "Misc activity", ... } ARGH!

11

12 Standardized flow hashing for all your NSM tools
Community ID Standardized flow hashing for all your NSM tools

13 ID = version ∙ ‘:’ ∙ base64(sha1(seed ∙ 5-tuple))

14 Typical BroZeek-and-Suricata log entries
{ "ts": , "uid":"CVKjZo2GrV8DM0Fvo5", "id.orig_h":" ", "id.orig_p":3051, "id.resp_h":" ", "id.resp_p":80, "proto":"tcp", "service":"http", "duration": , ... } { "timestamp": " T07:51...", "flow_id": , "pcap_cnt": 10, "event_type": "alert", "src_ip": " ", "src_port": 3051, "dest_ip": " ", "dest_port": 80, "proto": "TCP", "alert": { "action": "allowed", "gid": 1, "signature_id": , "rev": 1, "signature": "PWNED!", ..., }

15 Typical BroZeek-and-Suricata log entries
{ "ts": , "uid":"CVKjZo2GrV8DM0Fvo5", "id.orig_h":" ", "id.orig_p":3051, "id.resp_h":" ", "id.resp_p":80, "proto":"tcp", "service":"http", "duration": , ..., "community_id": "1:ZEYOYMeyZNQC9DAdgsBZCtiTKqw=" } { "timestamp": " T07:51...", "flow_id": , "pcap_cnt": 10, "event_type": "alert", "src_ip": " ", "src_port": 3051, "dest_ip": " ", "dest_port": 80, "proto": "TCP", "community_id": "1:ZEYOYMeyZNQC9DAdgsBZCtiTKqw=", "alert": { "action": "allowed", "gid": 1, "signature_id": , "rev": 1, "signature": "PWNED!", ..., }

16 Typical BroZeek-and-Suricata log entries
{ "ts": , "uid":"CVKjZo2GrV8DM0Fvo5", "id.orig_h":" ", "id.orig_p":3051, "id.resp_h":" ", "id.resp_p":80, "proto":"tcp", "service":"http", "duration": , ..., "community_id": "1:ZEYOYMeyZNQC9DAdgsBZCtiTKqw=" } { "timestamp": " T07:51...", "flow_id": , "pcap_cnt": 10, "event_type": "alert", "src_ip": " ", "src_port": 3051, "dest_ip": " ", "dest_port": 80, "proto": "TCP", "community_id": "1:ZEYOYMeyZNQC9DAdgsBZCtiTKqw=", "alert": { "action": "allowed", "gid": 1, "signature_id": , "rev": 1, "signature": "PWNED!", ..., } DOU B LE w0Ot!

17 Current status Intentionally basic — feedback very welcome!
➜ Github tickets or BroZeek mailing list Spec and reference implementation: BroZeek package & plugin: Included in upcoming Suricata 4.1 community-id/v17

Download ppt "Standardized flow hashing for all your NSM tools"

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Helpdesk Ticketing System Customer Relationship Module.

Helpdesk Ticketing System Customer Relationship Module.
Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
3/8/2012Data Streams: Lecture 151 CS 410/510 Data Streams Lecture 15: How Soccer Players Would do Stream Joins & Query-Aware Partitioning for Monitoring.

3/8/2012Data Streams: Lecture 151 CS 410/510 Data Streams Lecture 15: How Soccer Players Would do Stream Joins & Query-Aware Partitioning for Monitoring.
CS/CoE 535 : Snort Lite - Fall 2003 1 Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.

CS/CoE 535 : Snort Lite - Fall Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.
Embracing the chaos mark lorenc

Embracing the chaos mark lorenc
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 9 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 9 Wenbing Zhao Department of Electrical and Computer Engineering.
Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.

Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.
Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.
1 The World Wide Web Architectural Overview Static Web Documents Dynamic Web Documents HTTP – The HyperText Transfer Protocol Performance Enhancements.

1 The World Wide Web Architectural Overview Static Web Documents Dynamic Web Documents HTTP – The HyperText Transfer Protocol Performance Enhancements.
Packet Capture & Analyze

Packet Capture & Analyze
Files Framework. Motivation In 2.1 and prior, “file” handling... – is inconsistent – causes performance problems – is not extensible – not cool 2.

Files Framework. Motivation In 2.1 and prior, “file” handling... – is inconsistent – causes performance problems – is not extensible – not cool 2.
Mastering Windows Network Forensics and Investigation Chapter 11: Text Based Logs.

Mastering Windows Network Forensics and Investigation Chapter 11: Text Based Logs.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Heartbeat Mechanism and its Applications in Gigascope Vladislav Shkapenyuk (speaker), Muthu S. Muthukrishnan Rutgers University Theodore Johnson Oliver.

Heartbeat Mechanism and its Applications in Gigascope Vladislav Shkapenyuk (speaker), Muthu S. Muthukrishnan Rutgers University Theodore Johnson Oliver.
CIS 290 LINUX Security Tripwire file integrity and change management tool and log monitoring.

CIS 290 LINUX Security Tripwire file integrity and change management tool and log monitoring.
Hakuna Suricata (it means no worries, except for APT)

Hakuna Suricata (it means no worries, except for APT)
1 Applied Cryptography in CyberTA Brent Waters Work with Dan Boneh and Amit Sahai.

1 Applied Cryptography in CyberTA Brent Waters Work with Dan Boneh and Amit Sahai.
Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version 2.4.4.

Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version

Similar presentations

Ads by Google