Modern IOCs matching with Suricata
10-17, 15:00–15:30 (Europe/Luxembourg), Salle Europe

This talk will present how Suricata, an open source IDS and NSM engine can provide high performance matching of IOCs on live traffic using a feature named dataset. It will also cover how the produced NSM events can be used to do IOC matching on past traffic data and will present the IOCMite tool that link Suricata and MISP.

Suricata is an high performance open source IDS and NSM engine that exist since 2009. The IDS function has evolved over the years and ,among other features, the dataset one has been developed to be able to match on a list of elements.

We will present how the feature is designed and how it is really convenient to do matching of IOCs on the live network traffic as well as building network wide patient zero database for metadata. We will also cover how the NSM produced data can be used to do matching on past traffic when new IOCs are added.

And finally we will present IOCMite an open source tool linking MISP and Suricata in both direction using the dynamic nature of dataset.

See also: Slides (2.0 MB)

Éric Leblond is the co-founder and chief technology officer (CTO) at Stamus Networks. He sits on the board of directors at Open Network Security Foundation (OISF). Éric has more than 15 years of experience as co-founder and technologist of cybersecurity software companies and is an active member of the security and open-source communities. He has worked on the development of Suricata – the open-source network threat detection engine – since 2009 and is part of the Netfilter Core team, responsible for the Linux kernel's firewall layer. Eric is a respected expert and speaker on all things network security.

This speaker also appears in:

Peter Manev is the co-founder and chief strategy officer (CSO) of Stamus Networks and a member of the executive team at Open Information Security Foundation (OISF). Peter has over 15 years of experience in the IT industry, including enterprise-level IT security practice. He is a passionate user, developer, and explorer of innovative open-source security software. He is responsible for training as well as quality assurance and testing on the development team of Suricata – the open-source threat detection engine. Peter is also the lead developer of SELKS, the popular turnkey open-source implementation of Suricata. Peter is a regular speaker and educator on open-source security, threat hunting, and network security.

Peter has been involved with Suricata IDS/IPS/NSM from its very early days in 2009 as QA and training lead. He is currently a Suricata executive council member. Peter has 15 years of experience in the IT industry, including as an enterprise-level IT security practitioner.

SELKS maintainer - turn-key Suricata-based IDS/IPS/NSM. A frequent contributor to and user of innovative open source security software, Peter maintains several online repositories for Suricata-related information: , and

Peter Manev is a co-author of the The Security Analyst’s Guide to Suricata book written with Eric Leblond.

Additionally, Peter is one of the founders of Stamus Networks, a company providing commercial and open-source network detection and response solutions based on Suricata. Peter often engages in private or public training events in the area of advanced deployment and threat hunting at conferences, workshops or live-fire cyber exercises such as Crossed Swords, DeepSec, Troopers, DefCon, Suricon, SharkFest, RSA, Flocon, MIT Lincoln Lab and others