Collaborate Disseminate
I have written the following rule in my Suricata rules file:
alert tcp any any <> any any (flow:established; content:"|65|"; offset:0; depth:1; byte_test:1, =, 3, 2, bitmask 0x03; msg:"detected"; classtype:bad-unk… Continue reading Help in Suricata rule bitmask syntax problem
If you apply Pereto’s Principal (the 80/20 rule) to network security, about 80% of incidents are caused by known threats that are easily…
The post Suricata or Zeek? The answer is both. appeared first on Security Boulevard.
Continue reading Suricata or Zeek? The answer is both.
So there are a lot of details to this but let’s just say that I’m convinced I’m being actively monitored by advanced hackers. It started when I was posting about time travelers on internet security forums. I was hacked many times and have … Continue reading Network Worm Sending HTTPS Passwords in POST Requests
By Ben Reardon, Corelight Security Researcher Having a CVE 10 unauthenticated Remote Code Execution vulnerability on a central load balancing device? That’s bad… Not being able to detect when a threat actor attempts and/or succeeds in compr… Continue reading Zeek in it’s sweet spot: Detecting F5’s Big-IP CVE10 (CVE-2020-5902)
I found too many event on suricata after recent update regarding this rule:
alert ip any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free"; ip_proto:4; metadata: former_category EXPLOIT; refe… Continue reading Inaccurate Suricata ET rule (SID: 2030388, CVE-2020-11900)
I’m working on a project to implement SDN in a network. One of my flows is redirecting to the Suricata IDS and the flow works in layer 2 with MAC address.
Since I’ve read that Snort only works in layer 3, I would like to know if it’s possi… Continue reading Suricata and rules based on MAC address
By Brian Dye, Chief Product Officer, Corelight Some things just go well together. A privilege of working with very sophisticated defenders in the open source community is seeing the design patterns they use to secure their organizations – bo… Continue reading Chocolate and Peanut Butter, Zeek and Suricata
By Vince Stoffer, Senior Director, Product Management, Corelight With Corelight’s latest software release, v19, we are excited to announce the expansion of our Encrypted Traffic Collection (ETC). The ETC was introduced in late 2019, but as a remi… Continue reading The light shines even brighter: Updates to Corelight’s Encrypted Traffic Collection
I want to obtain reassembled stream payload for both TCP and UDP in Suricata. How can i obtain stream data by manipulating the source code? Which methods/classes in the source can provide me the stream data?
I installed bina… Continue reading Suricata TCP/UDP reassembled stream
I have not found any examples on using the ‘bypass’ keyword.
Does it work in any rule? Are there performance implications using ‘bypass’.
For example, would this bypass all tcp traffic?
alert tcp any any <> any any (msg:"Allow a… Continue reading Suricata bypass keyword