Combatting client-side attacks using near-realtime detection presented at SEC-T 2010

by Alex Kirk (Sourcefire),

Tags: Security Intrusion Detection

Summary : The level of sophistication currently demonstrated both by malware actors and publicly available exploit frameworks such as Metasploit, CANVAS and Core Impact leave increasingly fewer options to provide robust detection of attacks on client software. The Razorback project is designed to provide enterprise defense teams with a framework for developing the kinds of detection necessary to combat these threats. Razorback addresses these issues by providing a core infrastructure that matches declared data types to the individual capabilities of various detection systems. By providing an open, documented API, arbitrary data sources can be paired with one or more arbitrary detection systems to provide detection solutions that would otherwise be impossible due to limited data access or restriction on system resources. This talk will discuss the concepts, design, and architecture of the Razorback Framework as well as introduce several modules for performing advanced inspection, detection, and alerting of network events. Additionally, the capability to update network defense mechanisms based upon these events will be demonstrated. The current implementation of the framework uses a stripped-down version of snort as a data collector, but any data collection engine could be used, including server-based modules designed to work with squid, procmail,or any other proxy or server.

Alex Kirk: Senior researcher