ML IPS в Ideco NGFW: бессигнатурная защита от атак нулевого дня

В 2020-ом году отправившись на рекомендованную всем «удаленку» мы в Айдеко перекроили весь роадмап продукта и быстро выпустили Ideco UTM VPN Edition – версию с расширенными возможностями по организации, защите и контролю доступа удаленных сотрудников. Делать что-то другое в IT-продукте в это время казалось несвоевременным. Примерно, как сейчас – не использовать AI-инструменты в работе и AI-функциональность в продукте для защиты. В то время, когда злоумышленники вовсю используют AI-инструменты. И атаки становятся все изощреннее и быстрее . В 2025 году зафиксировано 90 zero-day эксплойтов в дикой природе. 44% атак нулевого дня нацелены на корпоративные сетевые устройства - NGFW и VPN-шлюзы. Среднее время от публикации CVE до первой эксплуатации в реальных атаках сократилось до 5 дней и еще более сократится . Ни одна сигнатурная база не успевает за этим темпом. Рассказываем, как мы работаем над ML-модулем обнаружения вторжений в Ideco NGFW, что показал натурный эксперимент с ИСП РАН на 73 миллионах сессий и какие ограничения у этого подхода. Почему сигнатуры перестают справляться Сигнатурный IPS работает принципиально так же, как антивирус в 1990-х: есть база известных угроз, есть входящий трафик, есть сравнение. IPS - при всей мощи, работает с заранее описанными паттернами. Проблема не в самом подходе - проблема в скорости появления угроз. По данным Google Threat Intelligence Group , в 2025 году в дикой природе было зафиксировано 90 zero-day эксплойтов. По данным RAND Corporation, среднее время жизни zero-day атаки до её обнаружения составляет 312 дней. За это время сигнатура не появится: её невозможно написать на то, что ещё не обнаружено.

https://habr.com/ru/companies/ideco/articles/1024442/

#IPS #NGFW #ml #suricata #машинное_обучение

#Suricata is een veelgebruikte open source (GPLv2) netwerk security engine, voornamelijk gebruikt als IDS (Intrusion Detection System) en IPS (Intrusion Prevention System).

Op de NLUUG voorjaarsconferentie van 7 mei 2026 zal Victor Julien ( @inliniac ) verbeteringen in Suricata van de afgelopen 10 jaar presenteren en inzicht geven hoe netwerk security uiterst belangrijk blijft.

Schrijf je in voor de https://nluug.nl/evenementen/nluug/voorjaarsconferentie-2026/ en zie je op de voorjaarsconferentie!

#NLUUG is dé vereniging voor (professionele) gebruikers van UNIX/Linux, #OpenSource, #OpenSystemen en #OpenStandaarden in NL.

Hi everyone, and Happy Sunday. I've made great strides in my #Suricata book: Suricata: An Operator's Guide. However, there has been a nagging doubt in my mind: Is there something I'm missing? Is there some subject that I'm not covering that the #NSM Community or Suricata users would find useful?

What I've covered so far:

• A history of Suricata
• How to set up a Detection Engineering lab, with multiple virtual lab configurations to support different budgetary constraints
• How Sensor placement in different network fabric layers (Core, Distribution, Access layers, Inside perimeter, outside perimeter, cloud deployments) affect network visbility, and how different network protocols can make it difficult to track down problems (DNS recursion, WAF/Load Balancer deployments, NAT, etc.)
• Rule anatomy (rule headers vs. rule body, keyword categories
• Performance metrics and analysis
• Resources and sample exercises to help build effective threat research for detection engineering
• Resources and sample exercises to help build effective vulnerability research for detection engineering
• Invasive and non-invasive ways to analyze encrypted traffic for threats (TLS metadata vs. TLS Master Secrets Key logging vs. TLS Termination and forwarding of decrypted traffic) (Current chapter! 65% done)

Future Chapters/Subjects

• Noise/False Positive Reduction methods for Suricata
• How to write flexible Suricata rules
• Rule writing tips and tricks learned from a career as an NSM detection engineer/analyst
• Ways to extend Suricata's versatility (New and existing features)

With ALL of these subject listed as things I have covered and still want to cover, For those of you out there wanting to learn more about Suricata and hashtag #IDS and #IPS technology, what are subjects you would like to see covered in an operator's guide meant to both cover general administration of the platform, as well as #RuleWriting and #DetectionEngineering aspects?

I'm very open to input, which is why I'm asking! If you don't have an opinion, maybe you could share this with your followers to extend its reach? Thank you!

P.S. For those who want to see a draft of this work, such as it is right now up to chapter 9, visit leanpub.com/suri_operator. The book is "pay what you want", and the minimum price is set to free. After all I wouldn't ask for reviews, or for feedback on other subjects to cover, and also expect you to pay for an incomplete work.

Thanks in advance!

RE: https://infosec.exchange/@da_667/116423366342409068

My past 4 years in a nutshell. #suricata #emergingthreats #ids

DNS tunneling is easy to miss. Peter Manev walks through a real-world case using Suricata 8: detection, investigation, and reverse engineering.

Don't miss it! Register now: https://us02web.zoom.us/webinar/register/WN_fooQOVivS2i2vIA80wlhOw#/registration

#Suricata #OpenSource #FreeWebinar

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

v26.02.0...v26.04.1

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

• ✨ Features and enhancements
  • implemented easier way to enable/disable Strelka scanners #935
  • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
  • index selected Strelka result fields #919
• ✅ Component version updates
  • Zeek to v8.1.1
  • Arkime to v6.1.1
  • crytography to v46.0.6 (for CVE-2026-34073)
  • evtx to v0.11.2
  • Flask to v3.1.3 (for CVE-2026-27205)
  • Fluent Bit to v5.0.2
  • Logstash to v9.2.7
  • Requests to v2.33.1 (for CVE-2026-25645)
  • supercronic to v0.2.43
  • yq to v4.52.5
  • Updates for ICSNPP Hart IP parser #924
• 🐛 Bug fixes
  • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
  • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
  • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
  • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
  • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
• 🧹 Code and project maintenance
  • swap redis out for valkey #882
  • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
  • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
  • some documentation updates
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
  • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
  • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
  • STRELKA_SCANNERS has been added to pipeline.env for #935
  • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Don’t miss Victor Julien ( @inliniac ) at BSides Groningen for a talk on open source, sovereignty, and where #Suricata fits in the conversation.

He’ll dig into Suricata’s independent history, its support through OISF, and why that matters today.

More here: https://bsidesgrunn.org/2026/03/18/suricata-open-source-network-security-engine-built-with-sovereignty-in-mind/

#Opensource

One of the best parts of RSAC was the chance to talk about #Suricata and open source with so many different people.

From longtime supporters to people discovering the project for the first time, those conversations help strengthen the project, the community, and what comes next.

Wrote a little summary of some interesting learnings that have proven to be good guides but haven't led to a success story.. yet. :)

#math #sat #computerSciences #np #suricata

https://shivanibhardwaj.com/p/suricata-flowbits-dont-always-flow/

Heading to BotConf?

Don’t miss Peter Manev and Éric Leblond’s ( @Regit ) Suricata workshop on April 14 covering detection techniques, rule development, and real-world use. Learn from people who help shape Suricata.

Learn more: https://cfp.botconf.org/botconf-2026/talk/Z8H9Y9/

#Suricata #BotConf #OpenSource