De-Coder’s Ring

Software doesn’t have to be hard

Category: suricata (page 1 of 2)

Threat Hunting with Open Source Software

I’ve begun working on a new project, with a spiffy/catchy/snazzy name:
Threat Hunting: With Open Source Software, Suricata and Bro

I’ve planned out multiple chapters, from raw PCAP analysis, building with session reassembly, into full on network monitoring and hunting with Suricata and Elasticsearch.

This project will take a long time. While I work through it, I’ll be posting here regularly. I very much welcome feedback.

Here’s a little introduction video, but , more will come as I add videos.

The next video will be looking at how data is transmitted over a network… anyone ready for a super brief OSI Network model overview?

Foray into video

Recently, I worked with Packt publishing to release a video on Neo4j.  This gave me a little confidence and ideas for how to build my own video series.    I have a plan in place to start building some items around technologies that I’m a huge fan of.    Some will be perch related, some will not be, so, get prepared for a wide mix!

Here’s one that I put together to introduce a new feature at Perch!

Spilling the beans…

Today, I’m at ILTA’s LegalSec Summit 2017.    Giving a talk later about Threat Automation:

Me

Talk

I’m excited about sharing some information about Threat Intelligence, automation and application on a network sensor.  That’s all good stuff.

What I’m really happy about, is that I can be totally open with the technology.  My goal is to educate folks on how they can do what my company does on a daily basis.  As an open source advocate, and a giant fan of a lot of the technology that I use every day (duh!), it’s good to show others how to do it.  We don’t provide anything that qualifies as super cool intellectual property….  we have some, but anyone can build the basics to run in their shop.  The challenge comes with the human capital needed to build and run this stuff.   That’s a big part of the challenge.

Slow Down: Wrong Cables

I made a bone head move this week.   I went onsite to a new customer, who we love, to install a new network sensor.  It’s been a crazy hectic few weeks with the growth we’re having @ Perch Security, but that’s not really a valid excuse.  I’m owning up to my mistake, and reflecting on it.. thankfully, our customers are super cool and they get it.

Normally, I label our sensors for easy installation.

Dang, look at that sticker

That way, our customers know which port to plug into their management network, and which port is going to be watching their mirror/span/tap.  The installation went well.  The sensor was talking to my cloud.  The problem was, the sensor was only seeing broadcast data.  No typical network traffic (HTTP, SMTP, etc.  see:  post ).  Obviously it was a mirror configuration problem.  After all, if the sensor has an IP address and can talk out, the management port CAN’T be plugged into the mirror port.  It’s not my problem, it’s the switch!    (Uh oh, bad assumption right there, it turns out).     I would have known that, if I had the right ports plugged into the right ports on the switch.   Ugh.

Of course, this time we had a lot of new things

  • New hardware build, so unfamiliar with layout of the back
  • No stickers (cause it fell off in transit, argh!)
  • No indicator on the back of the sensor to which port is which

All of these things were in place because I was rushing around like a dying chicken.  That’s a thing, right?

Now it’s time to reflect.   How do I set us up for success going forward?     I have instructions.  I have labels.   I have the know how to do it all.

I just need to slow down.  Slow down.  Slow down.

(( Thank you for reading my self reflection for the week.  If you don’t hire me some day because of this post, that’s OK.. I ain’t perfect  ))

 

Older posts

© 2017 De-Coder’s Ring

Theme by Anders NorenUp ↑