Suricata 8: The newest release from the mob

I hope everybody can hear me fine. Um, before I start, I just kind of want to get a feel of, you know, sir exposure. And so, if you guys don't mind, uh, scanning that QR code, it will take you to a link. There's no registration. It's not a fishing attempt, but if you can just answer up to make up to two choices. Um, just kind of want to Yeah. Just kind of want to, you know, see what your exposure is. So, we'll take a moment.

All right. If somebody's already finished, just raise their hand.

>> All right. First spooner. Here you go. >> That's a Yep. That's perfect though. There you go. >> You're welcome.

>> Track three.

Okay.

All right. So, got a good uh good number of you uh haven't heard of Sirado. I'm going to talk about our latest release. So, that's good. And some of you have heard and want to learn more and we'll certainly do that. And a couple of you are actively uh using CRATA. So that's great. Thank you. All right, I'm gonna switch right over to the uh presentation as soon as I can figure out how to do that.

Okay. Um in this presentation I'm going to talk about >> All right. I'm going to talk about our uh newest release 8. Um Circotta has been around since uh before 2010 2008 I think. Um this release represents a significant milestone for us and I'll talk about that in a little bit. Um, but like all of our releases, it's been a heavy collaborative effort between the folks at OISF and our uh vibrant user community. So, we are quite thankful to them for the contributions they have made and I'll talk about those a little more as we uh proceed. I wanted to uh to bring up a little bit of trivia and uh I wanted to ask this

question. Does anybody know why we have these mercats all over the place in our branding in our logo? >> Very good. Very good. >> Yes. Can you pass that to him? And uh over here.

>> Yes, indeed. Here you go. >> Yeah. So um so sorcotta is the genus name of the mercat. Uh the mercats are known for their diligence and watching over their mob. A mob is a group of uh mercats. So that's uh that's where the title comes from and I just wanted to pass that on. So um thermat is key. Uh you'll see that all over our branding and almost everywhere you see the word um soricotta. So um Circata like I said is a is a big uh achievement for us and we maintain uh we remain committed to maintaining Circata's position as a leading relevant and trusted open-source network detection tool for the community. So we

uh we realize that Circotta is used in a lot of places. Some are mission critical uh some are highly sensitive and we take that role very seriously as we put together changes for it. I'm going to talk again about what's new in Circata 8. Uh before I go on, just a little bit about me. I've been with the OISF organization for uh six plus years. I was fortunate enough to join in 2019 and I've been uh quite happy. Um I had never done open source work before, but doing uh this type of open source work was something I didn't realize I really loved. Um uh not only do I enjoy the technical parts of it, but interacting

with the community all over the world really and making a difference. So I've worked uh with with vendors and worked with users from throughout the globe which has really been uh satisfying. I'm also a sorry I left off the second part. I'm also an employee of Corlite where I oversee sakraata deployment on all our physical sensors and virtual sensors. I also do performance engineering there. Um, in case you're wondering, you know, how much traffic can Serraata handle? I've seen it go anywhere from a couple of hundred megabits per second, you know, firsthand, all the way to 200 plus gigabits per second. So, Circotta can scale with appropriate hardware, but if you're playing in the 200 plus game, you

already know what appropriate hardware means. And um, it can do it and uh, firsthand knowledge of that. Okay, I'm going to briefly talk about OISF um the foundation and this is important because this is what sets uh Surracotta in the open source community and this is what will keep it in the open source community. So it's a nonprofit that was set up to oversee Surraotta development to keep it open to prevent it from being commercialized like some other solutions out there. Um the foundation relies heavily on uh contributions from organizations throughout the world and we have a healthy uh list of consortium members that provide the funding for Serakottis development. Um the link I realize you

can't click on but it's oisf.net. You can learn more about the organization about the people that are involved about our consortium members and there's ways that uh that if you want to become involved you can. All right. So, Circata 8 was a long road for us. Um, a little bit of backstory and then I'll jump back into it. Um, Sorcott 8 major release, which is the obvious part. Uh, the other part that we are really proud of, which I will talk about. Prior to Sorcata 7, we tried to get major releases out on a regular cadence and we failed and we failed and failed and failed and then COVID came along and we decided not to do a major

release while the world was not correct and we extended the lifetime of Sorraotta 6, but we vowed to become more regular in our releases. So starting with Sorakata 7, we decided that every two years we're going to do a release. Every three years we would uh end to support the previous release. So at any point in time we have a major release which is supported for two years I'm sorry which comes out every two years and then the previous release is for three years. So obviously there's a year overlap and it's during that year of overlap that we are available to help folks migrate from the previous release to the current release but once that

period ends we will still answer questions but there will be you really should update because along the way we put in security fixes and bug fixes. Security fixes really are that important and so um we'll still try and answer the question for older releases. Circata 8 um came out in July of 2025. It will be supported till July of 2028. Circata 7 came out 2023 and it will be supported until July of next year. So that uh that's heads up. Everybody gets a year to move forward. And like I said, we are here uh and can help. Uh we have an active uh forum and discord channel where uh we'll take questions. Sorcata 8 a lot changed. Um there's some

numbers up there but one of one of the things that we are most excited about is we came out on time. We said it will be July of 2025 and for an open source organization where financial motives are not the reason for our existence nor do they drive our development. We do it based on community uh support and what we think the community needs. That's quite an accomplishment to get it on time. The other thing that's really exciting is if you look at Rust and C. Um, does how many of you know the Rust language or know what it is? One, two, maybe. Okay. Uh, those of you that have used Rust know that it has a

lot of advantages over C. Not only is it incredibly fast, but it's incredibly uh, hardened. It can be hardened. So, we use it for parsing untrusted data. that is stuff that comes off the network, stuff that comes out of files. Um, and we are shifting the balance of our code from C to Rust. And we had major uh movement in this release. We're about 75% 25% 75% being C. Uh, the release again, I realize you can't click on the link. Circata.io is the landing page for all things related. You go to sata.io, You can get through our forum. You can get to our community resources. Um you can get to anything that's related to us

including um uh things that are uh special for us, our annual users conference. And then there's a lot of links to various things that could be helpful. One of the things that uh that sets this project apart is that we do have a vibrant user community and they do make lots of contributions. Um So, I'm not going to talk about the individual scores that you see in this, but we maintain a leaderboard, which is meant to be a light-hearted way of just showing, you know, contributions and where they come from. Uh, it's not meant to pit one against another, but it's just meant to show you that organizations have an impact on Surracotta. And this shows you the top

10. Stamus networks is particularly important to us uh because they do provide a bulk of the contributions um from outside the from the community and uh two well several of the folks on their staff were were also heavily involved with soricado from its early days and remain so. So this is the organization level and this is at the individual level. Eric Leblond um was associated with Sakraata almost from the start and now he's CTO of Stamis Network. So, it's not surprising that they take the top two spots. One of the things I wanted to highlight on this slide is uh the person at number three, Elise. Um for the past several years, the OISF has worked with

Outreachy, which is an organization um dedicated to help underrepresented folks get into uh security or cyber security and technical fields. And uh that works through there's a vetting process, there's a uh selection process, and then there's an intern process. The intern is a paid uh three-month agreement. Um we have two folks on staff from outreach. They're both working out wonderfully. Olyi was um an intern from the previous session which started a year ago in December. And during that uh three-month period, she made a lot of contributions. And so I wanted to highlight um Outreachy for a couple reasons. We think it's great. And if your organization or who you work with can possibly work with

Outreach to maybe help some other folks, I think that would be great. Outreachy.org is where you can get started and look at it. It's a it's an involved process, but it's also can be a beneficial process to everybody. Okay. So for those of you that don't know what sorcata is, this picture kind of depicts how circata fits into most environments. Um this is your classic, you know, internet firewall intranet picture. Um circata usually runs in a uh position in your network where it has uh visibility to the things that you want to protect. Um, in a large organization, this picture is going to be repeated a lot of times because the uh the sheer volume of traffic and the way that your

uh network is organized is going to be different if you're a uh, you know, Fortune 500 versus a small medium business versus, you know, something else. So, Circata in this case is hooked up to the router switch that has visibility to the internet uh, over a tap. So in this case, sirata would be operating in passive mode. It's receiving all the traffic, but it can't affect the traffic flow uh at all. This is a north south deployment of surraotta, meaning it's watching traffic between the internet and the intranet. A lot of large organizations that I'm familiar with also have many deployments in their uh internet where they're watching east west traffic. So traffic that stays solely within it. Um sir can

do both at the same time. Um, but depending on the size of what's to the right, you may want to have multiple instances of it and then collect the data upstream. So, those of you who are using soricotta um how many of you are using it in a east west scenario? Okay. What about north south? Okay, very good. Um, Sorcotta um 8 brings a new mode. So that firewall block can now be replaced with soricotta. So you can run soricotta in inline mode as a firewall. It can do both. It has uh it ops it operates as a classic firewall that is accept nothing except what's permitted which is exactly what you want. And then you can also

apply detection rules. So if your hardware is capable and you set things up right, you can with appliance and one of our consortium members um whom I can name is actively using it as their network firewall and uh even though AWS had a little bit of tarnish last week um most of the time that doesn't happen uh but they found success with it.

All right, so I'm going to go over some of the new features and then dive a little bit deeper on on some of those. Um so area talked about rust. Um we've expanded the scope of rust, the usage of rust. We've converted uh some major components within sacraata that were cbased into rust. Uh that one was particularly interesting because it was a module that was doing all the HTTP protocol parsing. Um those of you who know the protocol know it's not easy. um it's very involved, but it's also critical that it be hardened and that it be efficient and that it be complete. So, that effort was led by a community member uh of ours

from our neighbors to the north and with some assistance from some folks on the OSF staff. Um protocols um in the in the Sorata rule language, everything is protocol driven. So, you uh you have a rule and you say, "What does this rule apply to?" The first thing that you specify is what protocol does it apply to and that's an application layer protocol like SIP or it could be something low level like IP or ICMP. Um we added eight new application layer protocols uh this time around. Um I'll go over those later. Um one of the things uh that is important to know about circa is not only can it do detections really well but it can also

be a a logging a network security monitor. So it can generate lots of metadata. So some of these new protocols you only provide metadata for forensic purposes. Some of them also do um logging and you can do detection on it. So detection means can I write a rule that uses that protocol to uh to trigger alert and logging is just I'm parsing the protocol and I'm writing all this stuff out so you can see what's going on in your network. Um, Lua is really important. Um, I was talking with somebody earlier who asked me is Lua there or why aren't we using Lua more? Lua is a programming language that we make available to our rule

writers. So, not only can you use the keywords that we provide as part of the rule language, but you can also put a program in there. in the program the Lewis script uh it's very pythonic in some ways and and its own thing in other ways can determine whether or not an alert should trigger using whatever dynamic um huristics that they want to do. So we make everything available within sakraata available to the Lewis script so they can check the values of various things but we also allow them to decide what triggers an alert versus what doesn't trigger alert. So it can be dynamic if you want um or it can be more old-fashioned and just be based um on a

simple set of heristics. Um Lu is now vendored in it's always there. Previous versions of circata it was an optional component. Circata as the library is something that uh that was officially supported with this release. Um, circat as a library is important in uh some deployment scenarios where there's already a packet packing pass packet passing infrastructure um like uh maybe a big switch or something where they already are handling packets and they just want to give it to sirata and say should I be concerned about this packet? That process is now officially supported in sirraata 8. We have several vendors who are using it. Um, some are household names that you already know, but I don't

know if I can say those here. We added uh something called transactional rules. Um, if you have ever seen a Sorcat rule database, you know there's there could be 70,000 rules and we've given uh the rule writers a way to uh reduce the number of rules if they need to. So transactional rule means we can now express birectional logic. And what that means in simple terms, if I have a rule that should only fire if there was an HTTP request that looked like this and a response that looked like that, you can embody that in one rule. Sorakata will combine them and then you can alert based on that. So you don't have to have two rules. One that

might set some state if this happens on a request and one that says if that state is set and it's a response and I do this, you can output it in one rule which is very natural way of expressing it. um detections upgrade. Um I'll I'll talk about that in more detail, but we've added 107 new rule keywords that you can use to uh to generate an alert.

Uh more new features. Uh I'm going to skip over some of these, but I will uh also talk about these later on. Uh data sets are a concept that Sorakotta uses to manage lists of things. So lists of bad IPs, lists of good IPs, lists of suspicious DNS domains, whatever, whatever is important um to you can be expressed in what's called a data set. So it's just a big list. That list can be dynamic. So you can add to it and delete from it and Sorakata will happily use it in part of the rule language because most of the rules are something something. Is it in the data set? Is it absent from the data set? Or

maybe I found something that I want to add to a data set. Now we support contextual data sets which are basically annotations for every thing. So you can imagine an IP address with some JSON context like what campaign did I notice this in? When did I first see it? What is my confidence that this is something bad and all that information makes its way into the alert. So the incident responder who has has that immediately available and has greater context for what's going on. Um talked about the firewall. Uh it's a new mode, but like I said, it can be combined with Surata's inline protection. Um when I talked about 200 gigabit machines, I saw a couple of you

shake your heads. Yeah, it's really hard to do that. And uh the reason it's hard is everything has to line up perfectly. You have to have the hardware that supports it. You have to lay out and use your CPU resources effectively, your memory there because if you take a 200 mil, you know, 200 gigabit per second and do the math, you have almost no time to do any packet inspection. So everything has to work well. CPU affinity is a key part of that is lining up the uh the worker threads within SERTA on CPU resources so that they're close to the memory where the packet is being delivered by the nick. We've made that uh we've given you a way to make

that automatic. You can still do it by hand, but you can also do it automatic. and soricotta will uh inspect the hardware and then make a layout and then run with that and use that at runtime. Um performance has improved everywhere. Um as we go along performance is always first and foremost foremost in our minds. Security is topmost functionality but performance is right up there. Um statistics and output I'll talk about that in a little bit. uh security lib HTTP is the thing that was uh converted that's the HTTP parsing library uh that's pure ROSS now uh it's built in it used to be a uh a dependency and a repository that we control but now

it's vendored into the main sakraata code and so it's a it's a much uh tighter fit um it's also hardened considerably and like I said that was a driven by a community member from Canada um FTP the application layer uh protocol is being converted to Rust. It's a work in progress, but a lot of the foundational pieces were um ENIP. Does anybody know what ENIP is?

>> Yep. >> There you go. >> Uh ENIP stands for Ethernet over IP. Go figure. But it's important some ICS uh environments. Uh and then our mind parsing. Um I'm sure most of you know uh what that is. Uh again, parsing, rust, they go together. We now do it there. Talked about the new protocols. Um of this list I mentioned, there are protocols where we do detection and logging and there are those where we do logging only. The ones on here that are logging only are ARP and POP 3. um we tend uh you know to see some ARP traffic and it's usually not so important uh from a security perspective. Uh that's why um it's just logging only at this

point but that doesn't mean we won't be doing detection on it later. And then uh POP three I I guess it's still used a lot of things are still used that are old. Uh but POP 3 is logging only. The rest are both detection. Um STP I had no idea what it was. beforeand STP is a session description protocol. It's used with SIP. Um I didn't know that there was a separate protocol for that. Okay, so back to Lua. Um we hope this is a game changer for our rule writers because it gives them a way to programmatically express whatever their intent is. And so if you uh there's a circa uh alert um listed on another page, but circata

basically processes things from uh left to right. And if if any place in that step says no, this is not um something that we need to be concerned about, processing stops and it goes on to the next rule. We make that available and embody that in Lua by giving them a match function and all I have to do is say yes or no. And if it matches then we keep processing the uh the rule and see if it triggers an alert. If they say no that means I'm not concerned about this. Circot will say okay it'll terminate that rule for evaluation and go on to the next rule. It's always there. So no rule writers

can depend on it. And like I said before for uh security uh considerations we run it in a sandbox environment where we watch how much resource it uses not only machine resource but also time.

So, Sorcotta as a library is something that's been requested by a lot of our community and um it's essentially that first line there. You know, bring your own packets and threads to sorata and somewhere in your workflow just say circata, what do you think about this packet and it will apply the rules um sirata as it inspects packets it will do TCP reassembly if it's TCP. Um so any streambased protocol it will completely handle it knows how to you know decode UDP tunnels all that kind of stuff. So it will take that packet do all of its stuff and then apply any rules to it that are relevant. So if you have an infrastructure like

some big Cisco switch is not the customer I was referring to before. Um they could embed this in they could use sirraata and uh you know take advantage of everything that it goes uh that goes along with it. We have examples of how to do circa as a library um on our GitHub. So if you download our repo, go to the examples directory. Um there's a lot of examples not only for using sirat as a library but doing soricotta um with plugins and plugins are a way to extend the functionality of soricotta. Application layer protocols are one of those things that can be extended um and that's also where we have this example of how to do it. So you can

dynamically extend circata with application protocol parsers. Um you can do it with loggers and output. So if you don't want uh circa alerts going to um our native file format which is a file on the local machine and you want to send it to Reddus or or who knows what Kafka whatever uh you can write a plugin to accept that input and then send it off. Um, it can be threaded, so it could be thread aware and uh operate independently of anything else. Or you can have it not support threads and have it be single threaded. Um, I recommend being threaded and supporting concurrent access. Um, and you can also add new rule keywords if you wanted to do that.

So if you have if you're in an environment where things are sensitive or you have a protocol that no one else uh understands but you do, you can write a protocol parser. Um you could add your own rule keywords for that and manage it completely on your own. Take surracotta build your stuff deploy it. Sorata will load and make use of those. This is an example of of the transactional rule that I mentioned uh before. So this rule will look at uh an HTTP request. So file data would be the data contained within a request. Say it's a post. um the file portion of that soricado will evaluate and then look in this case content 123 um low value rule

here content 123 is not very good but there can be a lot more stuff that you would put in there so that's the HTTP request part of it HTTP stat code is the response so if I saw a request with this data and a response with that then it will generate an alert um fast pattern I see it has a typo is a way of um telling Sorakotta to uh take the content that it sees in this rule and store it in our multi-attern matcher library. That's a thing that lets Surakotta run at scale and run fast. Um we use uh something called hyperscan. We say here's a rule um at startup. Give it all the rules and

then we say here's the data that I'm working with. Tell me the rules that apply to this data. And so that usually takes that 70,000 number that I mentioned and it turns it into a number more like you know three or seven or or nine some very small number. So you can think of soricotta as a very um advanced work avoidance software but that's the way it runs at scale is by using this multiattern matcher and fast pattern as part of that in uh this uh so a lot of in the past a lot of folks have complained hey I get all this rich logging data it's great logging data is used for forensic NSM

shortcut does that really But like I want to be able to write a rule that uses some of this. And this this example shows um FTP reply in the rule. So we've always logged all the information we know about FTP session um including replies, responses, you name it. And they're like, well, we want to write a rule on that. So this again is a very low value rule, but it demonstrates FTP.rely reply is one of these things that was requested but from the folks over at ET proof point who are the main some of the main uh rule writers for circata and this says if you see FTP traffic uh with a reply that contains please

specify the password then generate an alert again real low value and if you've ever used FTP you know this is part of every normal FTP transaction but the point is um we took on the motto if you can log it you should be able to detect on it. We added 107 new keywords, you know, under that umbrella. We have more work to do, but we've made a healthy start at in this release. Um, we've also, this is just more of the same. Um, these are things that were logged only. Uh, the TCP, uh, the Windows scale, the Postgress query, uh, MDNS is multiccast DNS. Uh, TLS N um honestly I don't know what that is.

Uh well I don't know what ALPN is but um and then websockets entropy is a new keyword that was added. Um a year ago at Suriricon somebody talked about how they were doing this with Lua and we decided hey if it's important and you can do it in Lua then maybe it should be part of SRATA. So it was made into a rule keyword. It's implemented in Rust. Um, if you if you know what entropy is and how it applies to network data, you'll know that uh high entropy data often, but not always, often corresponds to malicious um content. So, you can write a rule that says, hey, if if it's a portable executable and the payload has a high

entropy, then I want to know about it because maybe it is something that I should be aware of.

contextual data sets. This is the type of context that you can get into your alert stream to make it more efficient for an incident responder who is getting volumes of alerts and has to go through it. Um this is uh some example but you can like I said you can include security campaigns. When did I first see this? Where did I first see this? What is my confidence that this is really um there? And you can annotate your data set with that. You can dynamically adjust the contents of it. And then Soricotta will include that in the alert when that alert triggers so you can know that here is some research that's already or here's some uh investigation that's

already been done. I put it in my data set for a reason. This is the reason why it was in the data set and now I'm seeing it.

So I talked about firewall mode. I want to come back to it. Um you can tell we're a little bit proud of that. Um it was a significant effort. Um but it extends the ways that you can deploy surracotta without firewall mode. If you take that line out um sorakata it can be deployed in passive mode where it receives a copy of everything that's traversing the network for visibility and inspection and it gives you alerts. Uh you can put it inline mode so it's a bump in the wire. Um, Serata will take stuff from one side, do its inspection, drop or allow packets to proceed to the other side and so forth and do that

birectionally. Um, you can also add to those modes NSM which is network security monitoring. You can just have circa generate rich metadata for you and it does a really good job at that. But you can combine it with prevention inline or active. Um, a lot of folks didn't know this, uh, so I'm mentioning it. Serata can also be a full pcap capture device. Um, if you do that, you know, pay attention to everything, including how you're storing this stuff because it should be really quick. Sorcotta depends on low latency operation throughout. Eric Leond, who I mentioned before, Stamis Networks, you know, number one on all those list. Um Eric contributed something called conditional pcap capture which I think a lot of folks can

make use of and it says if there is an alert generate a pcap. So for things that I told you that I'm really concerned with when an alert happens I also want the network data associated with that alert and soricotta will take um all the alert data uh that it has include it in the pcap file so you can do forensics. So you have you're going from full pcap cap full pcap capture down to something like hey an alert happened and here's the uh the packets at your disposal and you can incorporate those into your workflows.

>> Uh so >> yeah so it's it's done based on the stream. So um if an alert happens and it's a TCP connection or or even UDP uh connection whether whether it's HTTP or whatnot uh whatever we have at that point we will dump note that circuit keeps a sliding window. It doesn't keep everything it keeps a sliding window but that's enough to give you the rich context that actually triggered the alert. You have all the IP information. You have how many bytes traveled this way and that way. How many packets traveled in each direction. And by the way, here's the thing that triggered the alert. So you get some context. And depending you can

adjust the size of that window. Um there's ways that you can do that. So you can make it as big or use the default. Um if it's the default and it's a reasonable size connection, you'll get it. If it's a long lived SMB connection, these things can live for days or weeks. You're going to get the sliding window. So you will get something.

350.

>> Okay. Well, I'm glad it it can be helpful. We could talk more about, you know, some of the details of that, but yeah, that's one of the reasons why it was there to give you greater context, um, so that you can apply some focus to to what you're doing. >> Well, um, autopinning, I've talked a little bit before about why it's really important. Um, there's two ways you can do autopinning. One is you can say hey here's a network interface and soricado will interrogate the system find out what numa node it's on if it's a multiCPU socket node and then it will give preference to to that num node to try and keep the workers closer to it. A

num node is a way of organizing a system so that the memory is closer to one num node than it is to the other numode. So there's less latency when accessing the memory associated with the packets that arrive from that. So we can do it at the uh interface level the nick or we can just apply it on on the system depending on what it is. I found even with the fastest uh traffic rates latency to accessing the packet is less demanding than the nick being able to transfer the data to the same name node that which it's attached. Serakata can normally tolerate it. The nick can't. It will start dribbling packets out. So for

that, we also have this just tella where it is. It will look at everything and make uh what are usually pretty solid resource um decisions on how the workers are are uh laid down. Um performance um the only thing I'm going to talk about in this list performance is better everywhere but the uh rule loading and initialization are really important because if there were sorcera running in your environment and then something happens and it's terminated either abnormally or administrative reasons or just through some software errors depending on how you're managing your workloads. CRA restarts and that latency between the time that it's down to the time that's up, you're exposed for that. It circa 7

and earlier, it's about a minute and a half. If you have 70,000 rules, circa 8, it can now be a few seconds. Literally a few seconds. And the first time I saw this firsthand, I'm like, "Oh, something's wrong. I set it up wrong." So, I did it again and I'm like, "Oh, yeah. Yeah, we have this now." So soricotta will um cache information that it builds while processing the rules. So that minute and a half also includes caching time. The next time it starts it will use those caches to its advantage to reduce the startup time. And so in importance where you know visibility is important you have to have it constant. That's important. Um

output statistics we have better statistics. Uh so better telemetry throughout. uh it's more focused. It's meant to uh to help the person understand what's going on operationally and uh output is what I uh talked about the metadata and stuff. So I'm running a little bit running out of time and I have some more things to go. So I'm gonna um stop with this page and then have some time for questions. Sorcotta.io again that's that should be your landing spot. That will get you everywhere you need to get in the SRATA world. So we have a active forum uh based on discourse where uh team members uh like myself and others and other community members will respond to

questions. It's always helpful to give as much information as you can when posting a question so we don't have to do a little bit back and forth. We have some guidelines so if you do a new post it will say please include these things. Um we have a vibrant community and sometimes the community will give the response before that we do but we do look at that regularly. We also use Discord. Um I personally don't use it as much as other folks use it. Uh Discord is more of an interactive chatbased and it becomes a little bit harder to manage, but we do regularly monitor that. Um the third link there, I included that because that's something

that a member of our community put up by themselves. We didn't ask them to. They called it the awesome Surracotta list. Um that is from Sasha. uh he's a he's a German citizen. He decided, hey, I use it. I contribute to it. I really wanted to put this list together. So, that's a great list to to look at. Um and then, uh so there's our forum. Uh those are a couple yeah, a couple of links for Sorcat 8 being released. Uh talked about the community. One thing I haven't mentioned is every year we do a circa users conference. It's called Suriricon. Uh this year it is in Montreal and I will be asking a question

once I think of what it is uh for passing out a code so you can attend it virtually. Um it'll be happening on November 19th, 20th and 21st. Um it's uh every day is long, a lot of presentations not only from OISF staff but also from members of the community talking about different ways that you use Serracotta uh different things that they've done and so forth. So, like I said, we'll be giving out one uh code for that and we'll hook you up and make sure that you get that before before it gets close. Um, I'll leave this up while I ask if there's any uh questions. >> Yeah, >> Kelly Mada is the president of the OISF.

YouTube channel.

>> Question. Curious what would you suggest as the smallest

points for like you know classroom? >> Yeah. So um most of you guys know what a Raspberry Pi is. Um Pi 4, Pi 5 uh can be great at that. Um, Circata will run on ARM platforms and uh, you know, if you can get the network hooked up and figure out the storage, you know, that could be just fine. I had one in my house. Um, and it was running uh, both Zeke and Sorakata to get some visibility into what was going on my home network. So, small number of connections, you know, never more than a couple gigabits per second. Well, never more than gigabit per second. Um, and it did just fine. The reason I'm not running it is uh, the

the maintenance for the logs. because I didn't have that set up and so it kept filling up and stopping. Um, but a Raspberry Pi can be useful or any low-end, you know, some sort of nook can be possible just using the onboard um, you know, network or maybe some wireless thing that you have. Um, the key is how do you get it to traffic in a small environment um, uh, through a tap or a span is something that uh, that you would have to, you know, figure out how to do and there are lowcost options for doing that. Um, that you know uh, You can do it with a single CPU socket, you know, maybe eight

or 16 cores, um, you know, healthy amount of RAM and a fast, uh, you know, an SSD at least. >> There you go. Any other questions?

>> Oh, yeah. Okay. Sorry. Uh, Circata Circata does it. So it's all custom. Yeah. Um we have a lot of information online. Um and then you can use our forums to ask some you know specific questions. So what? >> Yes. Thanks. >> All right. So um does anybody remember when Sorata started? I mentioned a couple of years. Uh 2010. That's that's really good. Here you go. She she looked quite capable of catching it. All right. Um, Circotus technical lead. I mentioned the name once.

>> DNP3. Yes. Modbus. Yes. Um and frankly there's not um the support for things like that usually come from outside the community when there's a specific need. So we do have Modbus and DNP3 and ENIP. Um there are not a lot of rules that detect on those. So those would be rules that you have to develop in house. Um most likely

Okay. Yes, I will be. >> Oh, yes. Okay. Awesome.

Okay. Yeah, we can we can definitely talk. >> All right. Circa technical lead. Anybody? >> Oh, close. Close. Yeah. >> Yeah. Eric is great. Right here with that with a hat. All right. Yeah. All right. Who Who said that? Oh, you said Victor Julian. Okay. All right. Um Gosh, questions for the ticket. >> Who wants >> Yeah. Yeah. Who who wants to and will will attend and use a virtual uh pass for Siri? Three days. There you go. >> Uh November 19th uh 20th and 21st. Yeah. Okay, she'll hook you up. >> All right. All right. Okay. >> And who learned uh who learned something about Sorakotta today? >> Yeah. Oh, wow. Okay. Um All right. So, pick a number between one

and 10. >> Seven. >> Did you say seven? >> Yep. That's the number I was thinking of. Here you go. >> Can you pass that over to her? All right. All right. I didn't want to throw it. >> All right. I'm gonna leave um some stickers up here, but go ahead. You got a question? >> I won't.

>> Yeah, absolutely. Um so, not only can you use uh I mentioned ET uh which is emerging threats. They were involved very uh early in circatus days and actually uh brought Kelly into uh the OISF role now called now they're owned by proof point. So they are the main supplier of paid and free. They have a free rule set called ET open. They have a paid one called ET Pro. Um I don't know what the cost involved is. They have a web page and you can look it up. A lot of folks just use ETON. Sorcata recognizes that you may have rules for multiple sources. is you may use et and then you may have your own

curated rules or your own self-developed rules. And so within the sarcotta configuration, you can tell it what those files are. So you can say, "Hey, here's the rule file and by the way, also load my proprietary rules uh and so forth." And it will it will handle all of that. Um

>> yeah, open sense uh and pfsense are very important partners for us. Um we've long been uh we've worked closely with them for a long time now. Um open sense in particular is a huge supporter of circata. Um >> are they a consortium member? Yeah. >> Yeah. Yeah. >> Open sense. >> Open sense and also pfSense. Open sense is more directly involved. I'm going to leave some stickers um and up here and the journal books um because I am out of time. But uh thank you all for attending. I appreciate it.