Ron Bowes

Principle Security Researcher

Back to the list of Speakers and Sessions

Ron Bowes Principle Security Researcher, GreyNoise Intelligence

Ron Bowes is a Principle Security Researcher on the GreyNoise Labs team, which tracks and investigates unusual--typically malicious--internet traffic. His primary role is to understand and track the big vulnerabilities of the day/week/month/year; often, that means parsing vague vendor advisories, diff'ing patches, reconstructing attacks from log files, and--most complex of all--installing and configuring enterprise software. When he's not at work, he runs the BSides San Francisco Capture the Flag contest, is a founder of The Long Con conference in Winnipeg, takes improv classes, and continues his project to finish every game in his Steam library.


Workshop: Flying Under the Radar: Abusing HTTP to Bypass Suricata

Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.


Network protocols are messy! Sure, there are standards - RFCs, IEEEs, you name it - but there are also multiple ways to do basically everything. If you're relying on network IDS/IPS tools like Suricata, I have bad news - a sufficiently clever attacker can bypass a lot of your signatures, leaving you completely blind.

Many attackers use off-the-shelf tools/exploits that are based on proofs of concept, while many defenders use detections based on the same proofs of concept and tools, which creates a really boring armistice. But as attackers (and defenders!) we can do so much better! The cool part about HTTP is that, at every level of the stack, your software tries to make sense of the user's (aka: the attacker's) requests. From the web server (Apache, IIS, etc) to the language parser (PHP, .NET, etc) to the various frameworks to the application code itself - everything just wants your requests to work. That's great for ensuring the internet keeps working, but creates makes it really hard to write signatures!

In this workshop, we'll learn about the structure of an HTTP request, including the URI, headers, post body, and all that. Then we'll learn a bunch of different exploit types - shell command injection, SQL injection, path traversal, and more - and how they fit into an HTTP request.

Once we have a firm footing in HTTP exploits, we'll learn how to write a Suricata rule to detect each of them. You'll get hands-on experience on both sides of the table - after writing exploits, you'll learn how to detect them!

Finally, once you're comfortable with basic exploit development and basic Suricata usage, we'll add a final twist: you'll exploit all of the same vulnerabilities again, several times each, but this time you'll have to evade my rules.

Can YOU bypass my Suricata rules? We'll see!