One of the distinguishing features of botnets is communication between the bot and the C&C server. Analyzing network traffic is a part of researching a botnet. Suricata, an open-source network threat detection engine, is a powerful tool not only for finding threats in your network, but also for malware classification by analyzing output from a sandbox environment.
I will show how to use Suricata NIDS on Ubuntu VM, speak about rule writing principles and show step-by-step how to write effective IDS rules for a given traffic. Traffic examples for the training include real traffic from bots for various platforms. The training will focus on new features of the latest version of Suricata, which greatly simplify the rule writing process. I will also show how to read Suricata logs and fix false alarms.
At the end of the class, participants will be able to set up NIDS, find malicious requests in traffic and write effective rules for various protocols using the power of the latest NIDS. The workshop will be useful as for beginners in IDS (knowledge of network protocols would be a plus), so for those who have some experience in writing IDS rules for Snort/Suricata.