This is security onion advance presentation, Security Advance.

1. S3CuriTy B3a$t

2. ● Some old questions answer
● Default detectable/Undetectable attacks
● Optimization’s
● Rule writing basics
● Alert (Something special here from me)
● Demo
● Questions
● Thanks
S3CuriTy B3a$t

3. ● Snort or suricata?
● What is pf_ring,netsnif-ng?
● ??
S3CuriTy B3a$t

4. Less Spread
OISF(Open information security
foundation )
Snort Inline used with snor
Multy threaded
S3CuriTy B3a$t
● Open Source De-Facto-Standard
● SourceFire
● IPS Optional
● Single Threaded

5. Test Group Priority # of tests Suricata score Snort score
Test rules 3 8 6 8
Bad Traffic (non RFC compliant) 2 4 1 1
Fragmented packets 2 2 1 3
Multiple failed logins 3 1 1 0
Evasion techniques 2 15 21 29
Malware & viruses 3 14 9 7
Shellcodes 3 11 12 7
Denial of Service (DoS) 3 3 3 3
Client-side attacks 3 257 127 157
Performance 3 0 2 1
Inline / Prevention capabilities 2 0 1 1
TOTAL (unweighted sum) 315 184 217

6. PF_RING™ is a new type of network socket that dramatically improves the
packet capture speed
netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your
daily Linux network plumbing if you will.Its gain of performance is
reached zero-copy mechanisms, so that on packet reception and
transmission the kernel does not need to copy packets from kernel space
to user space and vice versa.
S3CuriTy B3a$t

7. S3CuriTy B3a$t

8. Internal
Network and
Threat
S3CuriTy B3a$t
Server ROOM

9. Less False positive
Mature Traffic
Improved LAN Cards Which support PF-Ring
Customization of Snort and RuleSet
And Many More………!
S3CuriTy B3a$t

10. action proto src_ip src_port direction dst_ip dst_port
(options)
alert tcp 10.0.9.4 any -> any any (msg:"Traffic from 10.0.9.4”;)
Action :-
alert - generate an alert using the selected alert method, and then log the packet
log - log the packet
pass - ignore the packet
activate - alert and then turn on another dynamic rule
dynamic - remain idle until activated by an activate rule, then act as a log rule
S3CuriTy B3a$t

11. Protocol :- Which protocol should be looked at
TCP
UDP
ICMP
IP Addresses :- IPs,any & CIDR Fashion
Port Numbers :- any any, from to, from <= & to >=
Ex. ip any -> IP 1:1020 -> from any port to 1-1024
any any -> ip:6000 -> from any to port less than or equal to 6000
ip:1024 -> ip:500: -> from port less than 1024 to port greater than 500
Direction oprator -> or <>
S3CuriTy B3a$t

12. Options :-
logto - log the packet to a user specified filename instead of the standard output file
ttl - test the IP header's TTL field value
tos - test the IP header's TOS field value
id - test the IP header's fragment ID field for a specific value
ipoption - watch the IP option fields for specific codes
fragbits - test the fragmentation bits of the IP header
dsize - test the packet's payload size against a value
flags - test the TCP flags for certain values
seq - test the TCP sequence number field for a specific value
S3CuriTy B3a$t

13. ack - test the TCP acknowledgement field for a specific value
itype - test the ICMP type field against a specific value
icode - test the ICMP code field against a specific value
icmp_id - test the ICMP ECHO ID field against a specific value
icmp_seq - test the ICMP ECHO sequence number against a specific value
content - search for a pattern in the packet's payload
content-list - search for a set of patterns in the packet's payload
nocase - match the preceeding content string with case insensitivity
session - dumps the application layer information for a given session
rpc - watch RPC services for specific application/proceedure calls
resp - active response (knock down connections, etc)
S3CuriTy B3a$t

14. Questions?
S3CuriTy B3a$t

15. Contact Details:
Twitter: @s3curityb3ast
Blog: breakthesec.com
Email: kingkaustubh@me.com