Discover and read the best of Twitter Threads about #Suricata

Most recents (6)

1/8 A few months back, we stopped a #ransomware attack by the group #BlackBasta. We spent a lot of time studying their backend servers, malware and more.

If you're interested in #ransomware, then you'll want to read this story...
2/8 It ends up that the #BlackBasta gang uses victims networks to log back into their own network! The leads to some interesting monitor opportunities.

This allowed us to monitor _them_.

On the victims servers, we deploy "clip board" monitoring.
3/8 This means we could see everything the attacker "cuts and pastes" within the victims environment. This includes passwords, commands, Russian comments, etc.

We are publishing it all.
Read 8 tweets
Happy Friday! Powered by #FreeSigFriday today, we've had 120 (!) new #suricata #IDS rules which were added to our ET Open (rules.emergingthreatspro.com/open) ruleset this week. Lets take a look at what was shared with us this week to make this happen...
Sigs to enumerate and detection payload requests from the Pyramid framework (SIDs 204307-204315) github.com/naksyn/Pyramid
Vector Stealer Data Exfil via Telegram, SID 2043289 via @suyog42...
Read 8 tweets
#SecurityOnion 2.3.180 now available!

Featuring:
#Elastic 8.4.3
#Suricata 6.0.8
#Zeek 5.0.2
✅New and improved #sysmon dashboards!

Thanks to @markrussinovich and team for #sysmon!

Need a #sysmon config? Check out @SwiftOnSecurity's!

Blog post:
blog.securityonion.net/2022/10/securi… ImageImageImageImage
@markrussinovich @SwiftOnSecurity Our updated #Sysmon Overview dashboard gives you a nice overview of all of the different types of #Sysmon data you are collecting: Image
@markrussinovich @SwiftOnSecurity Our new #Sysmon Registry dashboard allows you to drill into registry events like registry_value_set and registry_create_delete: Image
Read 8 tweets
If you're looking for network indicators of #log4j exploitation - this thread is for you. Every detection in this thread is freely available for use RIGHT NOW.
#snort #suricata #CVE202144228
We have tons of inbound rules that'll hit on scanners and we've tried to cover ITW obfuscation methods, but let's be real, there are more ways to obfuscate these attacks than we can cover.
For outbound traffic (generated by a successful "landing" of the attack strings) there are some good rules now.
1) 2014474 and 2014475
These existing sigs alert on java (as determined by the UA) downloading a class file. Today we tweaked flowbits (2013035) for better coverage.
Read 7 tweets
(1/of a few) Doing some training #threathunting runs with #suricata -with pcap from bit.ly/3jNUCyw
Fun fact: Alerts count only for 8% of the total logs produced - we also have protocol logs like Flow records, KRB5, SMB, DNS, TLS, HTTP, DCERPC,Fileinfo Image
(2/of a few)
Just as regular protocol and flow logging of #Suricata gives us:

633 FLOW logs
295 HTTP logs
182 TLS logs
130 DNS logs
114 SMB logs
90 DCERPC logs
66 FILEINFO logs
23 KRB5 logs
2 NTP logs

Let's see some examples of the generated data...
(3/of a few)
Quick and dirty cmd look at the DNS logs generated by #Suricata gives us the domain list for our #threathunting review
Couple of those jump out (at lest to me) Image
Read 17 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!