Intrusion Detection & Prevention

The inline IPS/IDS system of OSIgate is based on Suricata/Snort and WebCache/Netmap to enhance performance and minimize CPU utilization. This Deep Packet Inspection system is very powerful and can be used to mitigate security threats at wire speed.

R&D Report

1. IDS/IPS  Performance and Throughput research. [ask]
2. Snort performance research. [ask]
3. IDS/IPS performance overhead research. [ask]

click to see more about Ransomware protection

Cisco Snort: The World’s Most Widely Deployed IDS/IPS Technology

Overview

Martin Roesch, the founder of Sourcefire and chief security architect at Cisco, created Snort® in 1998. Snort is an open-source, rule-based, intrusion detection and prevention system. It combines the benefits of signature-, protocol-, and anomaly-based inspection methods to deliver flexible protection from malware attacks. Snort gained notoriety for being able to accurately detect threats at high speeds. With nearly 4 million downloads and hundreds of thousands of registered users, Snort is the most widely deployed IPS technology in the world.

Benefits for OSIgate users

Cisco Snort’s open-source development methodology offers three main benefits:

●   Rapid response: Protect your environment from emerging attacks quickly using Snort to customize and enforce your own security rules. Protect from threats you haven’t even seen through the Cisco® Talos Security Intelligence and Research Group (Talos). Talos writes Snort rules every hour of the day to combat new and evolving threats.

●   Greater accuracy: Strengthen your security without doing a thing. The worldwide Snort community continually reviews, tests, and offers improvements to the Snort source code. Benefit from the collective knowledge of security teams around the world as they suggest changes.

●   High adaptability: Employ the Snort system as a foundation for creating your own unique network security solutions. With ready access to source code and documentation, you can add your own functions to Snort.

Suricata IDS IPS NSM

Suricata is an intrusion detection system (IDS) and intrusion prevention system (IPS). It was developed by the Open Information Security Foundation (OISF). .

The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.

Emerging Threat rules

Integrated support for ET rules. The ET Ruleset is an excellent anti-malware IDS/IPS rule set that enables users with cost constraints to significantly enhance their existing network-based malware detection.

Intergrated Trojan Tracker

Intergrated Feodo Tracker Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials. At the moment, Feodo Tracker is tracking four versions of Feodo.

Suricata Detection engine

  • Protocol keywords
  • Multi-tenancy per vLAN or capture device
  • xbits, flowbits extension
  • PCRE support
  • substring capture for logging in EVE
  • fast_pattern and prefilter support
  • Rule profiling
  • File matching
  • file magic
  • file size
  • file name and extension file
  • MD5/SHA1/SHA256 checksum
  • scales up to millions of checksums
  • multiple pattern matcher algorithms that can be selected
  • extensive tuning options live rule reloads
  • use new rules w/o restarting Suricata
  • delayed rules initialization
  • Lua scripting for custom detection logic
  • Hyperscan integration

SSL Finger Printing Detection

SSL Finger Printing : The IPS option to allow user defined rules include the option for SSL fingerprinting. With this option SSL communication can be blocked at the inital connection attempt by dropping the SSL key exchange.

Suricata HTTP Engine

  • Stateful HTTP parser built on libhtp
  • HTTP request logger
  • File identification, extraction and logging
  • Per server settings limits, personality, etc
  • Keywords to match on (normalized) buffers:
  • uri and raw uri
  • headers and raw headers
  • cookie
  • user-agent
  • request body and response body
  • method, status and status code
  • host
  • request and response lines
  • decompress flash files

More

Suricata Multi Threading

  • fully configurable threading
  • from single thread to dozens of threads
  • precooked run modes
  • optional CPU affinity settings
  • Use of fine grained locking and atomic operations for optimal performance
  • Optional lock profiling

Integrated SSL Blacklist

SSLBL A project maintained by abuse.ch. The goal is to provide a list of SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists.

Suricata Packet acquisition

  • High performance capture
  • AF_PACKET experimental eBPF and XDP modes available
  • PF_RING
  • NETMAP
  • Standard capture
  • PCAP NFLOG (netfilter integration)
  • IPS mode
  • Netfilter based on Linux (nfqueue)
  • fail open support
  • ipfw based on FreeBSD and NetBSD
  • AF_PACKET based on Linux
  • NETMAP Capture cards and specialized devices : Endace Napatech Tilera

Suricata IP Reputation

  • IP Reputation loading of large amounts host based reputation data
  • matching on reputation data in the rule language using the iprep keyword
  • live reload support
  • supports CIDR ranges
  • custom define IP tables

OSIgate Global Support 24x7

From initial setup to mission-critical Firewall, SDWAN, NAS HA implementation and support ... 
please call HK: +852 3694 0408, CN: +86.755 25904562 or email to sales_team @ osigate.com for enquiry.