Wednesday, September 21, 2011

RAID 11 @ Menlo Park, CA (notes and rants)

I attended RAID these past couple of days and must say I come out of it with mixed feelings. I had moments of great fun, saw some good stuff but most of the conferences were waaaaaaay too theoretical for my taste.
Anyway, these notes have to be taken with a grain of salt. I know that many people have put a great deal of effort into their talks and presentations so the notes below might sound unfair. I'm not talking about the effort they did put into it or the quality of their work, my notes and comments are based on my personal liking, my personal opinion and my personal interests.

For reference, here is the RAID 11 Program.

By far the most interesting thing for me has been the Panel Discussion featuring Seth Hall (BRO IDS/NSM), Victor Julien (Suricata IDS/IPS) and Marty Roesch (Snort IDS) and the OISF Brainstorming session. Those were the things that (most of the time) considered real world, immediate application topics, with user/customer needs behind them instead of the world of theoretical "Highed" (wonder what gets them so high :P). I'm a college drop-out myself in case you didn't know...

First of all (on the Panel) I must say that Ron Gula, the panel moderator, looks much healthier than last time I saw him. He seems to be taller, long hair, etc... Sorry, bad joke, Ron was sick and couldn't make it. Hope you get better soon!

The session itself started with a quick 5 min introduction from each panel member, which was very interesting. I knew about Marty & Snort and am having more and more involvement into Suricata with Matt and Victor lately but knew little about Bro. Interesting to know a bit more.

So, without further delay, the session notes (some good stuff tho there was no bloody Suidae - Mongoose fight that many seemed to be waiting for) are below. Again, my personal opinion, comments and so on. Below these I'll put the notes on the sessions I attended (I missed the last two, had to leave) as well as some anecdotes such as "The most useless question for Day 1", "The most useless question for Day 2" and some others I'll try to think of.
Sorry if some of the questions or answers are incomplete, sometimes I couldn't resume them quick enough or follow up fast enough on the answers.

Panel Discussion notes

Legend:

M Marty
S Seth
V victor

Questions:
1: what are recent advancements in the IDS field?
M client side enhancements mainly, detecting new types of attacks that are targetting the client more and more.
S Counting stuff, providing more information, easier access to Bro data.
V (Was told by the moderator that he had already answered this on his introduction and that he'd be skipped. Too bad.)

2: open source... Advantage or nuisance of community creating rules. 
Asked by the Annoying French Guy (AFG) (I never knew the name of this one, he has to be some sort of university teacher but he was really really annoying during the two days. Often asking obvious questions with even more obvious answers, seemed to be used to hear his voice more than others and felt uncomfortable in an environment where he could talk as long as he wanted).
M complicated. Customers need quality rules for Sourcefire, Community can't provide those in a reliable manner.
S never had community, building script repository with community focus
V community centric. Community rules driven, very important.

3. What prevents attackers from replicating the code and circumventing it:
S complexity prevents attackers from replicating. (That's too funny :P)
M open source no weakness. OS better for security community as it can be escrowed,
sort of like crypto systems.

4. Difference between snort and suricata. What makes suricata the next gen IDS.
V revamp the community that was being neglected by Sourcefire. Gpu, multithread,
language extensions.
M politized topic. Snort remains as it is because of performance and because of building
automated detection topics. Different focus.

5. When was the last bad bug
S never to his knowledge. Too complex? (Marty had a funny comment later on this. He says that the last time he looked at the Bro source code he fired it up in Vi, had a quick look and quickly closed it again. I believe his eyes were bleeding after that).
V some exploits, quick fixes.
M snort had them. Arbor networks analyzed snort, felt it was hard to target because of diversity of deployments.

6. Bro more user friendly, how, when new release?
S cleaning for beta, cleaning up script layer, provide an API over the scripting layer.

7. Bro vs Snort, what are tradeoffs
S tells peoples to both run snort and bro. Use bro as a post correlator.

8. All 3 products only detect simple things. Are they additional exposure?
M no, nobody targets IDS in order to access a network. Its the users who don't want to
detect more complex stuff.
S target Ids is a absurd thing since as they are isolated you'll never know if you
succeeded. Again providing examples that are out of this world, ssh login attack from
Romania.

9. Are self tuning systems reliable?
M self tuning is needed because people are bad at tuning IDS systems. They need to be
saved from themselves.
V focus on post infection detection instead of relaying on pre-infection.

10. Cloud impact on NIDS.
S cloud providers don't provide capability to monitor cloud, you are on your own. More
abstract examples.
M cloud complicates deployments and you have more places to detect attacks

11. AFG asks about some papers on obfuscation and why they haven't been
implemented. (for some questions this was my favorite for most useless question of the day, the winner came later tho).
M has some normalization features, it works sometimes.
V Suricata is considering normalization too.
S bro may have it, he doesn't know.

12. Integrations with online portals, querying other parts.
S bro is asynchronous, that would work.
M razorback does that.

13. Host base IDS features in those NIDSs (good candidate for most useless question but didn't quite make it)? Like unpacking JavaScript.
S nothing even planned in bro. Ossec talks.
M no open source hids. Immunet does something like that but it does it in the cloud.

14. Zero day detection. Incorporate some of those modules?
M we don't care about shellcodes that much. We care much more about detection. Immunet does that
kind of stuff with this.
S not really, too many other interesting things. (lost him here again, Seth didn't know the concept of "short answers" ;-) )

15. Reputation lists ips/dns. Plans.
V soon in suricata, Matt's baby in ETPro.
S some more confusing speech. Username intelligence.
V use it as well with suricata
M implementing it right now in Snort

16. What support do I have to port my code contributions to your systems if I don't want to write C. Example: coding some addons in python. (*very strong* contender to the most stupid, errr, useless question of the day, but again superseeded later).
M don't use python in something that requires near real time. At most you could create a lua preprocessor.
V same
S c++ and bro scripts. Broccoli to distribute packets. (had Broccoli for lunch today and that reminded me of why I hated the name: who doesn't hate Broccoli?

17. AFG attacking again. What about distributed intelligence framework?
S hope CIF does that and lots of blah
M lots of barriers which make attackers happy
V commercial feed on the framework.

18. Why not share code among systems?
M bro is different to snort. There are no common points at lower level.
V creating library, libhtp, for others to use. Same for other parts. There is a lot of
sharing.
M libdaq, other things.
S no answer.
M bin pack project

19. (We got a winner!!! price for the most useless question of day 2!) Absurd comment about IDS not being IDS, but rather intrusion detection sensor with a limited visibility of the overall picture. (For this guy Prelude was the only real thing since it would take multiple input sources. Only bad thing is that it doesn't do anything useful with those input sources....)
S people are the most importing thing. Provide that tools to the people.
V you need good cameras for a good security system.
M other systems do the correlation. IDS is context free. (<--- 100% right, stop asking IDS systems to do everything).

Well, I don't know if its reflected here but it was pretty interesting despite AFG's interventions, kudos to Marty, Seth and Victor.

I noticed an interesting trend during these three days (counting the OISF Bstorming session in): people want everything to do everything. I mean, yes, NIDS has to expand itself beyond rule based pattern matching, but if you don't limit the capabilities... where will that lead you to?
One of the good things for example is that Suricata dropped SQL output from their roadmap. You've got Barnyard2 for that, focus on your stuff and don't try to do everything...

And exactly that is what I think is Bro's problem. I've known Bro for over 12 years, I remember having tried to play with it but get frustrated in the past. Several times. Same happened with Prelude.
And the same happened to me with Snort. Once. I took it up again two years after that and was amazed on how it was going to leave Realsecure and Dragon faaaar behind (my favorites at that time.
Finally, I tried out Suricata about this time last year, didn't have a great experience, dropped it. Now we're going to really look into it again and hopefully integrate it into Alienvault / OSSIM soon.
And I'd love to give Bro another opportunity, some of the things Seth said were very interesting. Problem is that 80% of what he said was targeted at generating academic interest while 20% were real world applications.

Talking about which, I'd divide it like this (targetting real users / targetting academics):
M: 90/10
S: 20/80
V: 70/30

Again, reiterating that this is all my personal opinion.

After this I wanted to have a laaaarge listing of conferences with a format like this:


Title


  • Presenter:
  • Start:
  • English:
  • Theory:
  • Practical value:
  • End:
  • Slide usefulness:
  • Q&A beating recvd:
If there's a lot of interested I'll put it up, but I think it doesn't provide a lot of value since most of my valuations are under 5 in a 0 to 10 scale. Having said that, I really enjoyed 4 talks due to it's obvious practical applications:

Klimax
  • Presenter: Stefano Ortolani
  • Start: 10:35
  • English: good (not loud enough)
  • Theory: very good
  • Practical value: high
  • End: 10:56
  • Slide usefulness: ok, text at the bottom, appealing
  • Q&A beating recvd: none
  • 7

Dymo
  • Presenter: Bob Gilbert
  • Start: 13:53
  • English: first good and loud english
  • Theory: very interesting, well explained.
  • Practical value: little, only implemented for Windows XP. Big potential. Hard to maintain label DB.
  • End: 14:15
  • Slide usefulness: good, text at bottom
  • Q&A beating recvd: some, tcp issue with changing identity after socket establishment.
  • 8
Cross domain collaborative anom detect

  • Presenter: Nathaniel Boggs
  • Start: 15:30
  • English: native
  • Theory: interesting
  • Practical value: some, interesting idea. Compare logs on different hosts/web servers,
  • matching logs across then could be unknown stuff.
  • End: 15:56
  • Slide usefulness: good, little bottom text
  • Q&A beating recvd: stupid attack from audience accusing them of not setting up a good baseline. Hostility could be felt coming from the italian guy. Some beating received.
  • 7
Environment sensitive malware

  • Presenter: Martina Lindorfer
  • Start: I arrived late
  • English: ok
  • Theory: nice
  • Practical value: good, Jaime has implemented similar stuff already.
  • End: 09:58
  • Slide usefulness: nice slides, text at bottom
  • Q&A beating recvd: none, AFG asking some useless stuff.
  • 7
Last quick note: Jaime wanted to ask Martina during the Q&A if she wanted to marry him (good looking, good knowledge in an area he's very interested in too) but he chickened out at the end.

Here we got the winner of the most useless question/comment of day one btw. There was an Italian guy who was attacking Nathaniel for not having set a right baseline for tests, and it was set in a previous paper. Lesson for AIG: Do your research before blaming others... 

Conclusion
It's been a great experience, some interesting talks but far too theoretical for my taste, as stated earlier.
The location was a bit weird, it ressembled more a dinner place than a conference room (the same building had a much better conference room but we couldn't use it).

What I take with me is being happy about Suricata continuing to grow in the right direction, having met Matt, Victor and Marty again and having getting to know some interesting people. Aah, and having "give Bro another chance, again" on my todo list again :-)

4 comments:

Seth Hall said...

I'm actually quite sad to hear that you think most of what I said was targeted at academic users. Whenever I talk, I try to focus on incident responders as the audience (unfortunately there were very few there).

Sorry for the long answers too, but I think it spawns from the difference in approach and the fact that no one really knows what Bro does or how it works. The others could assume that their audience had a ground knowledge which I couldn't assume.

You seem to have forgotten to answer your rhetorical question (if you don't limit the capabilities... where will that lead you to?). I'd argue that the answer to the question might just be "somewhere great!".

Thanks for listening! :)

Dominique Karg said...

Hey Seth,

I fear yes, I was thinking "nice, I should really look into Bro and see what their approach to that complex and vast amount of information they gather is". You talked a lot about the vision of the products, how you were rewriting things and I could feel you really loved and enjoyed it, but there was little specific talk about how to broaden acceptance, making it more userfriendly (with specific stuff) and such.

But your passion at the talk had the desired effect at least on me, I want to try it out again and see if it can be made "more user friendly" like we did with so many other tools.

The panel was great as said, don't get me wrong.

Pablo Rincon Crespo said...

Hey DK,
thanks for the post. It looks that it was an interesting discussion, and fun.
Best regards.

Raffy said...

I dropped by RAID for a couple of hours. I have attended a lot of the conferences in the past. This year, I glanced through the proceedings and decided that we haven't made much progress in IDS in the last years. Too bad.
I had to laugh reading your blog. I think I might know who that AFG is. Email me if you want to know his name ;)

Post a Comment