BOSS Conference 2009

Open Source Sessions

OpenVPN: Secure Remote Access for the Masses
The University of Toronto has over 70,000 students and 10,000 staff and faculty. Over the past three years, the IT department has developed and implemented a ubiquitous VPN service, based up on OpenVPN and FreeBSD. The service has over 3000 active customers, with up to 35 simultaneous users and supports, Linux, Mac OS X and Windows XP/Vista/2000 clients. In this session you’ll learn about a range of open source tools and approaches developed to provide secure remote access, monitor and log usage of the service, and authorize and authenticate users by integrating into the local identity management system.
Speaker: Russell Sutherland

In the Weeds of the Snort Security Platform (SnortSP)
The Snort Security Platform (SnortSP) is the first major milestone toward Snort 3.0. Join Dina Bruzek, Sr. Director of Sourcefire Engineering, for an in-depth architectural review of SnortSP. Learn how SnortSP will bring new improvements in performance, scalability, and uptime to open source Snort, and how it will play a pivotal role in Sourcefire’s upcoming 3D System 4.9 release.
Speaker: Dina Bruzek

Writing Effective Snort Rules: Part I, Snort Engine and Preprocessor Architecture
Writing effective custom rules for Snort requires knowledge of the Snort engine and preprocessor architectures. In this session Matt Olney of the Sourcefire Vulnerability Research Team (VRT) will discuss the VRT’s methodology for writing Snort Rules. In Part I Matt will cover both detection theory and what you need to know about Snort’s architecture in order to write effective Snort Rules.
Speaker: Matt Olney

Strategies for Defending Web-Enabled Applications
The number one attack vector today is against applications. Traditional network security does not protect applications. In this session you’ll learn how to protect applications using off-the-shelf products and procedures. Taking a vendor-agnostic approach, Barry will show what functions should be deployed in order to protect applications. You’ll walk away with information you can use immediately to defend your organization against application attacks.
Speaker: Barry Lyons, IV

Writing Effective Snort Rules: Part II, Optimizing for Performance and Accuracy
Building on a Snort user’s knowledge of detection theory and Snort’s Architecture, Matt Olney of the Sourcefire VRT will demonstrate the use of different rule options in the Snort rules language that allow users to create rules that are optimized for performance and accuracy. In this discussion Matt will examine the real-world use of different rule options in several published VRT rules, including:

  • Detecting buffer overflows with content checks and isdataat.
  • Detecting buffer overflows with PCRE
  • Detecting attacks against the Kaminsky DNS bug with byte_test
  • Parsing variable sized protocols and using byte_test for buffer overflow detection
  • Content and replace keywords

Speaker: Matt Olney

Lessons Learned While Creating a Unified v2 Parser in Ruby
The Snort unified 2 output format presents a wealth of information that cannot be consumed by the current version of Barnyard. With the noisyredpig library, which is written in Ruby, Bryan will show you to how to take advantage of the output and make it available for consumption in other applications. This talk will show the benefits of using Ruby and present the lessons learned while developing the noisyredpig library.
Speaker: Bryan Liles

Understanding Shared Object Rules Development
Shared object (SO) rules are loadable modules that can quickly extend the detection capabilities of Snort. Using the full power of C, SO rules enable rule writers to create much more complex rules than the Snort rules language. In this session attendees will learn the basics of Snort SO rule development. At the end of the session, attendees will have the knowledge required to construct a basic SO rule for detection of a simple attack.
Speaker: Patrick Mullen

Samurai-WTF: The New Old Thing for Web Penetration Testing
Samurai-WTF is a bootable LiveCD environment that is specifically built for web penetration testing. Justin and Kevin have designed and built an environment that is feature-rich with included tools and configurations that ensure the web tester does not need to concern themselves with installing or configuring the tools they use. The presentation will also include two new projects, Yokoso! and Laudanum. Yokoso! is an infrastructure fingerprinting system injected into web applications via XSS. Laudanum is a collection of injectable files used during SQL injection attacks.
Speakers: Justin Searle, Kevin Johnson

Understanding Exploitation Techniques in Defending the Network
The organizations of today rely on various and sundry tools and threat intelligence feeds to defend their networks. Even with these resources at their disposal, organizations still have a simple disadvantage: on average, most defenders lack a working understanding of what it is they're defending against. In this session Lurene Grenier of the Sourcefire VRT will look at the realities of exploitation in a way that is graspable and imminently useful for all audiences involved in defending the network. This session will cover:

  • The anatomy of an exploit
  • How and why they're developed
  • The aims and outcomes of a successful breach

Speaker: Lurene Grenier

Web Intrusion Detection With ModSecurity
Intrusion detection is a well-known network security technique—it introduces monitoring and correlation devices to networks, enabling administrators to monitor events and detect attacks and anomalies in real-time. Web intrusion detection does the same but on the HTTP level, making it suitable to adequately deal with security issues in web applications. This session will start with an overview of web intrusion detection and web application firewalls, discussing where they belong in the overall protection strategy. The second part of the talk will discuss ModSecurity, an open source web application firewall, and its capabilities.
Speaker: Ivan Ristić

Common Mistakes Using Snort and How to Fix Them
With over three million downloads to date, Snort is one of the most widely used open source security technologies becoming the de facto standard for intrusion prevention. Users that are newer to the community often encounter similar problems initially configuring Snort or optimizing its configuration for their environment. This session will focus on some of the most common mistakes made when configuring and using Snort and how to fix them. Common problem covered in this session will include:

  • Snort.conf file
  • Variables
  • Preprocessors
  • Rules
  • Barnyard and SnortUnified

Speaker: Joel Esler

How to Block Out the Bad Stuff with ClamAV
ClamAV Anti-Malware is one of the most commonly-used open source anti-virus and anti-malware products in the world. Renowned for its speed and accuracy, ClamAV has been adopted by network security solution and service providers worldwide. Like Snort, ClamAV’s cutting edge security technology is a triumph of the open source model. The presentation will cover an introduction to ClamAV, its design, common applications, and hot features such as logical signatures, anti-phishing, DLP and others. Tomasz will also provide various hints on how to effectively install and get the best performance out of ClamAV. The talk will include live demos illustrating ClamAV's most interesting features.
Speaker: Tomasz Kojm

Trade-Offs in Building Entire Networks in Software
Untangle, an open source software company, has developed a virtualization platform for packaging and delivering networking applications that make it easier for businesses to adopt open source software. In this presentation, Untangle's Founder/CTO, Dirk Morris, will layout a new model for deploying software at the network gateway to overcome the challenges of running multiple applications (firewall, IPS, VPN, Spam Blocker, Spyware Blocker, Web Filter, etc.) on standard x86 based hardware. Dirk will present an insider's look at the tradeoffs Untangle made when designing a virtual network and tricks learned in maintaining high performance between competing applications running on the same system.
Speaker: Dirk Morris

Second BASE: The Next Five Years
The BASE project team will present the plans and design of the next major version of BASE. The BASE interface, as adopted from ACID, is being updated to ensure that BASE will handle the requirements of Snort 3.0 and security analysts into the future. This presentation will show the new interface and architecture being built by the project team and will provide an opportunity for users to help guide our direction.
Speakers: Justin Searle, Kevin Johnson

Running Snort and ClamAV on your Wireless Router
In this session we’ll explore bringing the power of Snort and ClamAV to embedded Linux. We’ll start with a sub $100 ASUS WL-500g premium wireless router and turn into a security gateway providing IPS (Snort Inline) and web AV (DansGuardian and ClamAV). Along the way we’ll introduce the hardware, liberate your firmware and show you how to unleash the power of your wireless router. Topics covered include:

  • Using the OpenWRT SDK (cross compilation environment)
  • Installing and enabling snort in inline mode
  • Installing DansGuardian and ClamAV
  • Transparently redirecting HTTP traffic
  • Snort tuning in a low bandwidth environment
  • Automating rule and signature update

Speaker: Charlie Vedaa

Open Source Penetration Testing Frameworks & Tool Kits
The scope of modern penetration testing is broader than ever before. Today’s penetration tester is faced with attacking systems protected by IDS/IPS, NAC, web content filters, anti-spam gateways, managed AV, patch management systems, and more. This session will cover the use of open source penetration testing frameworks and tool-kits in enterprise environments protected by multiple security technologies. The session will also cover documenting your findings and mapping those findings against common compliance regulations such as PCI, SOX, HIPPA and GLBA.
Speaker: Joe McCray

Secure Coding Best Practices
With the increasing frequency and complexity of application-level attacks, combined with regulatory requirements for secure application development, today’s development organizations must focus on building security into the software development lifecycle. This talk will encompass techniques for writing secure multi-platform, multi-language code. It will address common mistakes in coding that arise from programmatic misconceptions. It will also bring to light easy-to-use paradigms that can be applied to all programming languages. Various methodologies will be explored for code auditing to provide a basis for security code auditing.
Speaker: Brian Caswell

Host-Based Intrusion Detection with OSSEC
OSSEC is a multiplatform open source Host-Based IDS. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. This presentation will provide a technical overview of what OSSEC does, how it works and how anyone can leverage it for their own internal needs. Daniel will also cover the concept of LIDS (log-based intrusion detection) and provide examples of how real attacks and policy violations have been detected using it.
Speaker: Daniel Cid



©2008 Sourcefire, Inc. All rights reserved.