2022-07-05, 09:50–10:25 (Europe/Paris), Amphitheater
Writing signatures for Suricata and other intrusion detection systems (IDS) is considered by many to be a form of art. One of the main reasons is that the rule writer needs to start by examining a network trace to identify patterns that are representative to a threat/behavior without being too broad (to avoid false positives) or too narrow (to avoid being escaped at the first change of a bit in the attack). But the language used to write signatures is the second reason. It is not really expressive and doesn’t have advanced constructs. As a result signatures require complex writing to do things that could appear simple. And there are implicit conventions and structures that must be followed to guarantee correct integration in the detection engine.
The open-source Suricata Language Server (SLS) has been developed to solve these problems. SLS is a Language Server Protocol implementation that allows the user to benefit from built-in Suricata diagnostic capabilities when editing rules. SLS provides advanced diagnostics as well as auto-completion. In this talk, you will see how SLS can be used and how to make sense of the error messages and learn about some of the optimizations inside the detection engine. You will also discover what Suricata features are used behind the scene to make this possible.
See also: 🎥 video
Éric Leblond is the Co-Founder and Chief Technology Officer (CTO) of Stamus Networks and a member of the executive team at Open Network Security Foundation (OISF). Leblond has more than 15 years of experience as co-founder and technologist of cybersecurity software companies and is an active member of the security and open source communities. He has worked on the development of Suricata, the open source network threat detection engine, since 2009 and is part of the Netfilter Core team who is in charge of the Linux kernel's firewall layer. E. Leblond is a well-respected expert and speaker on all things network security.