Network protocols are messy! Sure, there are standards - RFCs, IEEEs, you name it - but there are also multiple ways to do basically everything. If you're relying on network IDS/IPS tools like Suricata, I have bad news - a sufficiently clever attacker can bypass a lot of your signatures, leaving you completely blind.
Many attackers use off-the-shelf tools/exploits that are based on proofs of concept, while many defenders use detections based on the same proofs of concept and tools, which creates a really boring armistice. But as attackers (and defenders!) we can do so much better! The cool part about HTTP is that, at every level of the stack, your software tries to make sense of the user's (aka: the attacker's) requests. From the web server (Apache, IIS, etc) to the language parser (PHP, .NET, etc) to the various frameworks to the application code itself - everything just wants your requests to work. That's great for ensuring the internet keeps working, but creates makes it really hard to write signatures!
This workshop will teach the basics of HTTP as well as the basic structure of Suricata rules. Then we'll look at quirks in HTTP and limitations of Suricata that make it very difficult to catch every edgecase. Attendees will have the opportunity to play on both teams: we'll bypass Suricata rules, help fix them, and maybe even bypass them again!
Ron Bowes Principle Security Researcher, GreyNoise Intelligence
Ron Bowes is a Principle Security Researcher on the GreyNoise Labs team, which tracks and investigates unusual--typically malicious--internet traffic. His primary role is to understand and track the big vulnerabilities of the day/week/month/year; often, that means parsing vague vendor advisories, diff'ing patches, reconstructing attacks from log files, and--most complex of all--installing and configuring enterprise software. When he's not at work, he runs the BSides San Francisco Capture the Flag contest, is a founder of The Long Con conference in Winnipeg, takes improv classes, and continues his project to finish every game in his Steam library.