#openobserve — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #openobserve, aggregated by home.social.
-
Investigation scenario:
We just received three notifications with alerts from #Suricata #IDS1) GPL SMTP vrfy root, from unknown IP to our mailserver
Shortly after that, two more alerts appeared:
2) ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response; from the same unknown IP to Windows computer in our network
3) ET MALWARE Possible Metasploit Payload Common Construct Bind_API, again from the same unknown IP to the same Windows computerWhat happened?
What to do? How to analyze network traffic and investigate those alerts?We do not have any EDR or XDR installed on that Windows computer. Right now,we have only Suricata eve.json logs ingested to the #OpenObserve #SIEM
If you would like to see more, you are welcome to attend my @suricata webinar on March 11.
Register here: https://us02web.zoom.us/webinar/register/WN_I6BNbCU2SNG2fAOEiotPiQ -
During the #SharkBytes session at #SharkFest conference I had an opportunity to present a lightning talk about my pet project called IDS Lab.
It is a lab infrastructure deployable as docker containers, which simulates the small company network.The IDS Lab consists of web webserver with #Wordpress, #MySQL database, #Linux desktop with RDP, the #WireGuard VPN for "remote" workers and for connecting another virtual or physical machines into the lab network.
This part of infrastructure can be used for attack simulations.There are additional components for playing with logs and detections, too: #Fluentbit, #Suricata and #OpenObserve as lightweight SIEM.
In the #SIEM we already have preconfgured dashboards for alerts, netflows, web logs and logs from windows machines, if present.
Using the provided setup script, the whole lab can be up and running in up to 5 minutes. For more info, please check my GitHub repository with the IDS Lab: