Éric Leblond

Éric Leblond is the Co-Founder and Chief Technology Officer (CTO) of Stamus Networks and a member of the executive team at Open Network Security Foundation (OISF). Leblond has more than 15 years of experience as co-founder and technologist of cybersecurity software companies and is an active member of the security and open source communities. He has worked on the development of Suricata, the open source network threat detection engine, since 2009 and is part of the Netfilter Core team who is in charge of the Linux kernel's firewall layer. E. Leblond is a well-respected expert and speaker on all things network security.

The speaker's profile picture


Write faster Suricata signatures easier with Suricata Language Server
Éric Leblond

Writing signatures for Suricata and other intrusion detection systems (IDS) is considered by many to be a form of art. One of the main reasons is that the rule writer needs to start by examining a network trace to identify patterns that are representative to a threat/behavior without being too broad (to avoid false positives) or too narrow (to avoid being escaped at the first change of a bit in the attack). But the language used to write signatures is the second reason. It is not really expressive and doesn’t have advanced constructs. As a result signatures require complex writing to do things that could appear simple. And there are implicit conventions and structures that must be followed to guarantee correct integration in the detection engine.

The open-source Suricata Language Server (SLS) has been developed to solve these problems. SLS is a Language Server Protocol implementation that allows the user to benefit from built-in Suricata diagnostic capabilities when editing rules. SLS provides advanced diagnostics as well as auto-completion. In this talk, you will see how SLS can be used and how to make sense of the error messages and learn about some of the optimizations inside the detection engine. You will also discover what Suricata features are used behind the scene to make this possible.

[Workshop] Threat Hunting with SELKS and Suricata 6
Éric Leblond

Threat hunting with network data can be done with Suricata that combines a signature based IDS with network security monitoring capabilities. In this workshop we will show through SELKS usage. SELKS is a complete network threat hunting stack based on Suricata and Elasticsearch. We will use some of the recent capabilities of Suricata like dataset to show that it goes far beyond the traditional role of an IDS.

Blue Teams
Workshop Room