Érlc Leblond
Last known affiliation: Stamus Networks
Bio: Éric Leblond is the co-founder and chief technology officer (CTO) of Stamus Networks and sits on the board of directors at Open Network Security Foundation (OISF). Éric has more than 20 years of experience as co-founder and technologist of cybersecurity software companies and is an active member of the security and open-source communities. He has worked on the development of Suricata – the open-source network threat detection engine – since 2009 and is part of the Netfilter Core team, responsible for the Linux kernel’s firewall layer. Eric is a respected expert and speaker on all things network security.
Érlc Leblond 🗣
Abstract (click to view)
Suricata is a well known open source network threat detection engine. As such it combines network security monitoring capabilities with advanced intrusion detection mechanisms. Dataset is one of the features that is at the border of these two worlds. This presentation will introduce the feature and its advanced matching capabilities and it will explain how it can be used to do real time check of various IOCs (IPs, user agent, file hash) and to build sightings databases to alert on newly observed communication artifacts in the defended network.
Érlc Leblond 🗣 | Peter Manev 🗣
Abstract (click to view)
The objective of this workshop is to demonstrate how Suricata can be used to leverage network information when tracking malware.
With the logging of protocols transactions (NSM), Suricata provides an exhaustive view of network activity that can be used when the intrusion detection part of Suricata has failed detecting the malware. But did it really failed ? In a lot of cases, generic signatures are highlighting the activity of malware but they need to be look at and understood to be able to detect the malicious activity.
On top of that, some other techniques such as learning dataset can also be used to detect malware activity.
Once the network characteristics of the malware have been established, it is then time to determine which IOCs can be used and/or write signatures to have a detection dedicated to this malware.