Each year, Suricon attracts visitors from around the world for three days of training and discussion focused entirely on the popular open-source intrusion detection system (IDS), Suricata. The 10th annual Suricon event takes place 13-15 November, 2024 in Madrid, Spain at the Hotel Riu Plaza España.
This year, Stamus Networks’ co-founders Peter Manev and Éric Leblond will be joined by Stamus engineers Markus Kont and Andreas Herz for several different training sessions and speaking engagements over the three day conference.
In this session led by Peter Manev, attendees will learn how to dig deep into network traffic to identify key evidence that a compromise has occurred, learn how to deal with new forms of attack, and develop the skills necessary to proactively search for evidence of new breaches using Suricata. Open-source tools such as Suricata, Arkime and Kibana will be utilized to generate data, perform exhaustive traffic analysis, and develop comprehensive threat hunting strategies.
Éric Leblond will lead this two-day session where attendees will learn how to maximize the visibility that Suricata can provide into the network. Attendees will gain deep technical understanding and hands-on experience with Suricata’s versatile arsenal of features and capabilities for a variety of deployment, usage, and integration scenarios. Tuning and optimizing Suricata for threat/anomaly detection, file extraction, and/or protocol detection are critical for a successful deployment.
Andreas Herz and Peter Manev follow-up to earlier Suricon discussions about SEPTun (see a video recording here). In this evolution of the presentation, Peter and Andreas take a deep dive into routines that have helped them find, report, and fix bottlenecks in their Suricata deployments. They will summarize the details of SEPTun Mark III and the findings that they would like to share with the community, including configuration recommendations, findings, and performance processing guidelines. (note: you do not need to have seen previous SEPTun talks to participate in this session)
In this session, Markus Kont expands on his implementation of Jupyter Notebooks to present the available fields in EVE SMB protocols, along with observations about the properties of these fields. He will also explore samples of actual SMB event flows — including how one should normally look, along with samples of malicious event flows he has seen during cyber exercises. Finally, Markus will present opportunities for traffic profiling and anomaly detection, such as extracting useful features from SMB traffic and performing simple graph analytics.
For an intro to Markus’s work on Jupyter Notebooks for Suricata, read this blog series.
Éric Leblond goes in depth on the dataset feature in Suricata, a powerful feature that allows users to build rules to match on huge lists of Indicators of Compromise (IoC) at high speed. In this session, Éric introduces datajson, a new dataset type where the user can embed context in the IoC definition and add this context to the IDS events. He will also showcase usage of the feature with a newly-registered domain list and other massive datasets.
If you haven’t already done so, make sure to visit https://suricon.net/ to purchase tickets, reserve your room, and view the agenda for the week. We look forward to seeing you there! To stay updated with new blog posts and other news from Stamus Networks, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.