SURFids
a Distributed Intrusion Detection System
Wim.Biemolt@surfnet.nl
May 2010 TF-CSIRT, Heraklion, Crete.
Rubbish
1
SpamPots Project
2
Country Codes
3
Other sensors
4
Own project goals
- Understanding:
- Amount/types of malicious network traffic
- spreading of worms
- A scalable solution
- easy to manage and maintain
- Sensor must be maintenance free
- Comparing results with other sensors
- No False Positives!
- Based on high speed networks
- “should” be able to analyse L2 traffic
- Limit malicious outbound traffic from SURFnet
5
Setup
- remastered Knoppix distribution
- USB boot
- OpenVPN between Sensor and Central Server
- Computer system
- USB boot
- 1 NIC
- DHCP or Static IP (2x)
- OpenVPN session
- through local firewall (TCP 1194)
- HTTPS session
- through local firewall (TCP 4443)
6
Sensor
7
Servers
- Logging
- Postgresql
- Web interface
- Mail logging
- IDMEF
- Tunnel
- OpenVPN tunnel to sensor
- Manage X509 certificates/keys of sensors
- Source-based routing
- Honeypots
- Initially based on nepenthes
- a low-interaction honeypot
8
Honeypots
nepenthes
argos
dionaea
9
Overview
10
Or in the cloud
11
What we do(n’t) see
- DO
- Automated attacks
- No end-user interaction
- Attacks on OS and applications
- Scans
- Probes
- Offered malware
- DON’T
- Targeted attacks
- System hacking
SURFids 3.0
13
whois
14
Analyze
15
PDF results
16
IDMEF
17
Commercial break
WHO NEEDS RTIR?
18
Incidents
19
Import queue
20
Process
21
Incidents
22
Process
23
WELCOME BACK
24
nfsen
25
Malware offered
26
Malware downloaded
27
Binary info
28
Request
- Now a request for you. We have discussed several
times about getting you to feed us the binaries you
collect from your distributed honeynet systems. Is
this something we can get going?
29
Conclusion
- SURFids
- Successful solution
- Very easy to deploy
- Actively developed
- Now what?
30