Intro to Practical Network Signature Development for Open Source IDS

Presented at BSidesLV 2017, July 25, 2017, 8 a.m. (235 minutes)

In "Practical Network Signature Development for Open Source IDS" we will teach expert methods and techniques for writing network signatures to efficiently detect the greatest threats facing organizations today. Students will gain invaluable information and knowledge including the configuration, usage, architecture, traffic analysis fundamentals, signature writing, and testing of a modern network IDS, such as Suricata and Snort. Student will be given handouts to help them develop and read with IDS signatures. Lab exercises will train students how to analyze and interpret hostile network traffic into agile IDS rules for detecting threats, including but not limited to: Exploit Kits, Ransomware, Phishing Attacks, Crimeware Backdoors, Targeted Threats, and more. Students will leave the class armed with the knowledge of how to write quality IDS signatures for their environment, enhancing their organization's ability to respond and detect threats.

Presenters:

• Jason Williams - Pcap Eater - Emerging Threats / Proofpoint
  Network Monitoring, IDS, IPS, NSM, Suricata, Rules, Anti-Phishing, Malware, Threat Stuff, Malware Reversing Stuff, La Croix, Coffee, Club Mate, Destiny. In reverse order.
• Jack Mott
  Jack is a Security Researcher on the Emerging Threats Research team at Proofpoint where he spends all day long in packet-land playing with malware and writing comprehensive IDS rules for the ETPRO and OPEN ruleset. In addition to IDS sigs, writes sigs for ClamAV and Yara to hunt, detect, and analyze internet-borne threats. Jack loves analyzing exploit kits, malicious docs, and ransomware. Jack is a core member and trainer with the non-profit Open Information Security Foundation (OISF) and works closely with the developers of Suricata. Additionally, Jack has spoken at various educational institutions and information security conferences on malware related topics.
• Francis Trudeau - Cyber Anarchy Watchdog - Emerging Threats / Proofpoint
  It's time that we became uber-efficient with our interactive policy mobility. This is no time to bite the bullet with our interactive reciprocal programming. At base level, this just comes down to knowledge-based management options. I can make a window to discuss your holistic management capability.

Links:

• https://bsideslv2017.sched.com/event/BNFF/intro-to-practical-network-signature-development-for-open-source-ids

Similar Presentations:

• DeepSec 2013 „Secrets, Failures, and Visions“ / Effective IDS Testing - The OSNIF's Top 5
• GrrCON 2014 / How to budget IDS's
• ToorCon San Diego 1 (1999) / IDS: What are they and how can we use them?