Richard Bejtlich<p>Here’s another reason why you need a balanced approach to detection and response, including <a href="https://infosec.exchange/tags/networksecuritymonitoring" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networksecuritymonitoring</span></a>, and cannot simply rely on the integrity of the endpoint. <a href="https://www.techspot.com/news/107883-ransomware-can-now-run-directly-cpu-researcher-warns.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">techspot.com/news/107883-ranso</span><span class="invisible">mware-can-now-run-directly-cpu-researcher-warns.html</span></a></p>
101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.
Administered by:
Server stats:
482active users
101010.pl: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.5.0-alpha.1
#networksecuritymonitoring
0 posts · 0 participants · 0 posts today
Marko Jahnke<p>Surprisingly, <a href="https://bonn.social/tags/vector" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vector</span></a> is a very efficient and flexible <a href="https://bonn.social/tags/logshipper" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>logshipper</span></a>. </p><p>When using it with <a href="https://bonn.social/tags/suricata" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>suricata</span></a>, I was able to transmit more than 40k events per second via https. In the same setup, <a href="https://bonn.social/tags/filebeat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>filebeat</span></a> barely reached 9kE/s with the lumberjack protocol.</p><p><a href="https://vector.dev" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">vector.dev</span><span class="invisible"></span></a></p><p><a href="https://bonn.social/tags/NetworkSecurityMonitoring" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetworkSecurityMonitoring</span></a> <a href="https://bonn.social/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a></p>
Marko Jahnke<p>It seems that <a href="https://bonn.social/tags/Suricata" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Suricata</span></a> will not run with <a href="https://bonn.social/tags/Napatech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Napatech</span></a> drivers if the security.limit-noproc option is set to "true":</p><p>security:<br> # if true, prevents process creation from Suricata by calling<br> # setrlimit(RLIMIT_NPROC, 0)<br> limit-noproc: true</p><p>The process just ends up without further explanations. Took me a while to find out.</p><p><a href="https://bonn.social/tags/NetworkSecurityMonitoring" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetworkSecurityMonitoring</span></a></p>
Marko Jahnke<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@suricata" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>suricata</span></a></span> Are there any known tools for storing the <a href="https://bonn.social/tags/Suricata" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Suricata</span></a> rules themselves (not the eve logs) in <a href="https://bonn.social/tags/elastic" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>elastic</span></a> ?</p><p>This might be very useful for the analysts, if you could provide a reference in alerts to the originating rule via its rule id.</p><p>Converting the rules to JSON via <span class="h-card" translate="no"><a href="https://infosec.exchange/@ish" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ish</span></a></span> 's rjs might be a good first step.</p><p><a href="https://bonn.social/tags/NetworkSecurityMonitoring" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetworkSecurityMonitoring</span></a></p><p><a href="https://github.com/jasonish/suricatax-rule-parser-rs" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/jasonish/suricatax-</span><span class="invisible">rule-parser-rs</span></a></p>
Marko Jahnke<p>Today, I officially turned into an <a href="https://bonn.social/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> dinosaur. 25 years ago, I entered my first job in infosec as a scientific <a href="https://bonn.social/tags/researcher" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>researcher</span></a> in a research establishment. </p><p>A topic that accompanied me through the entire time was <a href="https://bonn.social/tags/NetworkSecurityMonitoring" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetworkSecurityMonitoring</span></a>, beginning in the late 1990's with the Network Flight Recorder (<a href="https://bonn.social/tags/NFR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NFR</span></a>) and early versions of <a href="https://bonn.social/tags/snort" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>snort</span></a> and <a href="https://bonn.social/tags/bro" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bro</span></a>.</p>
Richard Bejtlich<p>I tried <a href="https://infosec.exchange/tags/ChatRTX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ChatRTX</span></a> from <a href="https://infosec.exchange/tags/Nvidia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nvidia</span></a>. I trained it on about 250 files and 400 MB in the directory for my 2013 book The Practice of <a href="https://infosec.exchange/tags/NetworkSecurityMonitoring" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetworkSecurityMonitoring</span></a>. In reality in probably digested way less than that because it only works with pdf, txt, doc, and docx. Still, it was cool to interact with it. I might put all of my written material into it and see what it thinks. I have a 4070 Ti Super GPU with 16 GB VRAM and 7600X CPU with 64 GB RAM.</p>
Richard Bejtlich<p>This is a PERFECT example of how <a href="https://infosec.exchange/tags/networksecuritymonitoring" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networksecuritymonitoring</span></a> could detect this activity, because it happens over unencrypted HTTP! <a href="https://apple.news/A8DMe_2sCTqKP12W911VRJw" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">apple.news/A8DMe_2sCTqKP12W911</span><span class="invisible">VRJw</span></a></p>
Richard Bejtlich<p>This is from early March, but still interesting. If the crane sites instrumented their networks using <a href="https://infosec.exchange/tags/networksecuritymonitoring" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networksecuritymonitoring</span></a> principles, they could have been collecting evidence for months or years. With this story public, defenders could now conduct retrospective security analysis, either independently or using indicators from LE, IC, or other intel shops. <a href="https://archive.ph/zVAWg" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">archive.ph/zVAWg</span><span class="invisible"></span></a></p>
Marko Jahnke<p>Yesterday, <a href="https://bonn.social/tags/suricata" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>suricata</span></a> 6.0.10 (stable) was released. Version 7 has a first release candidate.</p><p>Thanks to <span class="h-card"><a href="https://mastodon.social/@inliniac" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>inliniac</span></a></span>, <span class="h-card"><a href="https://infosec.exchange/@satta" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>satta</span></a></span>, and the suricata team.</p><p><a href="https://bonn.social/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> <a href="https://bonn.social/tags/NetworkSecurityMonitoring" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetworkSecurityMonitoring</span></a> <a href="https://bonn.social/tags/IDS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IDS</span></a></p><p><a href="https://suricata.io/2023/01/31/suricata-6-0-10-released/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">suricata.io/2023/01/31/suricat</span><span class="invisible">a-6-0-10-released/</span></a><br><a href="https://suricata.io/2023/01/31/suricata-7-0-0-rc1-released/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">suricata.io/2023/01/31/suricat</span><span class="invisible">a-7-0-0-rc1-released/</span></a></p>
Chris Sistrunk<p>📰 Hot off the press 📰<br>---------------------------------------<br>I wrote this article for PowerGrid International magazine and it is to help folks with tuning their ICS /OT / SCADA network security monitoring alerts. 🛠️📉 You don't have to reinvent the wheel!</p><p>***If ICS NSM is in your responsibility, please read this article (link below) I would love to get your feedback.***</p><p>Documentation about tuning ICS NSM systems are rare. ICS NSM solution documentation tends to focus on how to turn on and off the baseline feature, and not go into specifics about how to fine tune the system. </p><p>If you buy an ICS NSM solution and forget it, it will be useless. If a vendor says their sensor/IDS requires no tuning, they are lying to you. An unmanaged and untuned ICS NSM or IDS will create floods of alerts, nuisance alerts, and contributes to alert fatigue for your engineers and SOC analysts.</p><p>Thank you!</p><p>📰: When fine-tuning your cybersecurity alerts, it’s best to focus on the basics<br><a href="https://www.power-grid.com/td/when-fine-tuning-your-cybersecurity-alerts-its-best-to-focus-on-the-basics/" rel="nofollow noopener" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">power-grid.com/td/when-fine-tu</span><span class="invisible">ning-your-cybersecurity-alerts-its-best-to-focus-on-the-basics/</span></a></p><p><a href="https://infosec.exchange/tags/ICS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ICS</span></a> <a href="https://infosec.exchange/tags/OT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OT</span></a> <a href="https://infosec.exchange/tags/SCADA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SCADA</span></a> <a href="https://infosec.exchange/tags/icssecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>icssecurity</span></a> <a href="https://infosec.exchange/tags/otsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>otsecurity</span></a> <a href="https://infosec.exchange/tags/networksecuritymonitoring" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networksecuritymonitoring</span></a> <a href="https://infosec.exchange/tags/NSM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NSM</span></a> <a href="https://infosec.exchange/tags/IDS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IDS</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a> <a href="https://infosec.exchange/tags/SOCAnalysts" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOCAnalysts</span></a> <a href="https://infosec.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BlueTeam</span></a> <a href="https://infosec.exchange/tags/tuning" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tuning</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload