De-Coder’s Ring

Consumable Security and Technology

Author: Chris Fauerbach (page 1 of 23)

Threat Hunting: Wireshark

Here’s the delayed 4th video!    Wireshark

I do a quick overview of loading a PCAP file within Wireshark, to do some analysis of packets and TCP reassembly.

Sign up for my mailing list above to get information on new podcasts and videos.

This is the last step in the education before jumping into Suricata next time!

Network Monitoring on the Cheap

I’ve regularly blogged about Suricata, Logstash and Elasticsearch.  Shoot, I’ve built multiple successful commercial tools using that technical stack.  The thing that made us successful wasn’t the tech, but it was how we used the tech to solve a problem that our customers had at that moment in time.

Now it’s time for me to share the secret on how to do it.

Ok, not a secret at all.  If you google, you can figure it out.

With this podcast, I want to introduce the topic to put some context around why those tools are the right tools.

I want to evangelize the idea of EVERYONE monitoring your home or work network with basic rules from places like Emerging Threats.  It’s free, and it’s invaluable to finding/stopping malware/viruses on your network.  Do it now!

Suricata

https://www.elastic.co/

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output

https://rules.emergingthreats.net/open/suricata-1.3/

Subscribe here : https://fauie.com/feed/podcast

Backup Plan

How often do you have a backup plan for when something goes wrong?

The group I’m working with went downtown Richmond today and had a blast on the Segway Tour.  Segways are like motorized mountain bikes/scooters and therefore, are a ton of fun.

When getting ‘trained’ for Segway operation, the guide taught us about what to do if the Segway just acted stupidly, beeped incessantly, vibrated without stopping, fell over, etc.  It made me start to wonder about logistics.

It was the second time that day the thought of drastically changing plans came to mind….  ok, maybe the 3rd now that I think about it more.

I try not to make a habit of thinking about the ‘what if’ or the potential negatives of a situation, but, it is always good to have a backup plan if something goes wrong.

 

 

Suricata – Detecting the (false positive) things

Suricata is a fantastic IDS, and can be used as an IPS

Intrusion Detection System

Intrusion Prevention System

The challenge with making it an IPS, comes with the false positives.  I’ve spent countless hours troubleshooting IDS rules that come from external intelligence.   This is not a knock on Suricata, this is not a knock on shared threat intelligence, they’re both critical components of a mature cybersecurity system.

A few critical points of validating your threat intelligence before throwing it into an IPS:

  1. Make sure it’s not google.com
  2. No private IP addresses
    1. 10.0.0.0/8 IP addresses: 10.0.0.0 — 10.255.255.255
    2. 172.16.0.0/12 IP addresses: 172.16.0.0 — 172.31.255.255
    3. 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255
  3. Watch out for IP addresses in general (WHAT?!), especially when they’re owned in a share host (Google, Azure, AWS).. those IPs get recycled SO frequently
  4. Watch out for CDNs.  Specific URLs are fine, but domains that are CDN (cdn.whatevr.com, etc), or anything related to cloud front, that isn’t a specific url, isn’t good.
  5. Prefer host names over IPs, but, make sure URLs are better.

It takes work, it’s hard, but it’ll be worth it.

Tuning is essential.  Tune your rules.

 

Older posts

© 2017 De-Coder’s Ring

Theme by Anders NorenUp ↑