Collaborate Disseminate
In our Suricata (version 6.0.4) logs we find many alerts messages like [1:2210045:2] SURICATA STREAM Packet with invalid ack [Classification: Generic Protocol Command Decode].
These come from the following rule:
alert tcp any any -> any… Continue reading How can I find out what rule option "stream-event:pkt_invalid_ack" means in Suricata? [closed]
I can’t figure it out / understand. Need to write a rule that catches an HTTP POST request from one ip address more than three times in 10 seconds and logs it.
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP post packet fl… Continue reading suricata http rule to identify POST requests
Trying to create a whitelist rule that would not log any DNS entry with a .gov TLD. I tried the syntax below but does not work.
pass dns any any <> any any (msg: ".gov domain"; dns_query; content:".gov"; nocase; s… Continue reading Suricata rule that would not log any DNS entry with a .gov TLD [closed]
We want to improve cyber security and I consider installing Suricata on our firewall (pfSense). Malware and Ransomware (as for anyone, I guess) concerns me much and one way to deny Ransomeware its need is to block IPs for c2 Server or othe… Continue reading IP Blocklists for Firewall (pfSense)
By Sarah Banks, Senior Director of Product Management, Corelight As we finished rolling out Corelight’s v21 software release, which saw the delivery of the world’s first 100G, 1U Zeek sensor, I was reminded of when I’d first read the “100G Intrusion De… Continue reading World’s first 100G Zeek sensor
By Keith Jones, Anthony Kasza and Ben Reardon, Security Researchers, Corelight Introduction Recently, Trustwave reported on a new malware family which they discovered during a breach investigation. The backdoor, dubbed Pingback, executes on Windows sys… Continue reading Pingback: ICMP Tunneling Malware
We have a need to check the arrival time of two relative packets, like packet1 and packet2, if packet2 arrives too late after packet1, we want an alert for it.
Is it possible to write a rule for this? I go through the suricata’s doc and fe… Continue reading Can I write a suricata rule based on the timestamp the packet arrives on the host?
By Lana Knop, Chief Product Officer, Corelight Through our newly announced partnership with CrowdStrike, Corelight customers will be able to incorporate CrowdStrike’s best-in-class threat intelligence into Corelight Sensors to generate actionable alert… Continue reading CrowdStrike + Corelight partner to reach new heights
By Vijit Nair, Sr. Director, Product Management, Corelight Comprehensive visibility is challenging in a cloud environment. While these environments are rich sources of telemetry and logs, it is challenging for security teams to ensure that logging is c… Continue reading Extending NDR visibility in AWS IaaS
By Gary Fisk, Sales Engineer, Corelight I love origin stories – the tales of grand plans, unforeseen circumstances, and necessity that creates something new. These strange times have resulted in something new from Corelight, and I’d like to share how i… Continue reading Who’s your fridge talking to at night?