pevma Profile picture
Feb 14, 2021 17 tweets 18 min read Read on X
(1/of a few) Doing some training #threathunting runs with #suricata -with pcap from bit.ly/3jNUCyw
Fun fact: Alerts count only for 8% of the total logs produced - we also have protocol logs like Flow records, KRB5, SMB, DNS, TLS, HTTP, DCERPC,Fileinfo Image
(2/of a few)
Just as regular protocol and flow logging of #Suricata gives us:

633 FLOW logs
295 HTTP logs
182 TLS logs
130 DNS logs
114 SMB logs
90 DCERPC logs
66 FILEINFO logs
23 KRB5 logs
2 NTP logs

Let's see some examples of the generated data...
(3/of a few)
Quick and dirty cmd look at the DNS logs generated by #Suricata gives us the domain list for our #threathunting review
Couple of those jump out (at lest to me) Image
(4/of a few)
Quick and dirty cmd look at the #HTTP protocols logs of .@Suricata_IDS we have some interesting results for
1 - HTTP hostnames
2 - HTTP User agents
3 - HTTP servers Image
@Suricata_IDS (5/of a few) #suricata also gives us a pretty good snapshot form the TLS protocol logs for SNIs , Issuers, subjects that can lead the investigation of the pcap traffic trace too (quick jq on the cmd) Image
@Suricata_IDS (6/of a few)
You can further add and build relation between the previous #suricata TLS protocol data generated and network traffic #encryption analysis based on flow and ja3 and ja3s as well to show clients/apps and servers comms in the #ThreatHunting process ImageImage
@Suricata_IDS (7/of a few) .@Suricata_IDS can identify (type/magic/hash etc) and also extract files from the following protocols - HTTP , SMTP , FTP, NFS, SMB, HTTP2
so for this #pcap that would give us another angle into the #ThreatHunting : Image
@Suricata_IDS (8/of a few)So then you can further break down the file transactions analysed by .@Suricata_IDS by protocol - HTTP and SMB "6lhjgfdghj.exe" sticks out Image
@Suricata_IDS (9/of a few) Looking at the fileinfo #suricata log record of that #HTTP file transaction we have other valuable information like http hostname , size, file magic and sha256 among others.Both the hostname and the checksums are listed on virusTotal
virustotal.com/gui/file/94e60… Image
@Suricata_IDS (10/of a few) We can count on @Suricata_IDS SMB and KRB5 protocol logging in this basic #ThreatHunting run to tell us who logged form where, AD domains and PC names Image
@Suricata_IDS .@Suricata_IDS #protocol logging for KRB5 (example attached) could be quite revealing for lateral movement user involvement identification in the #ThreatHunting

docs.microsoft.com/en-us/openspec… Image
@Suricata_IDS (12/of a few)
So would be #Suricata SMB protocol logging for that #ThreatHunting chase with that pcap (msg 1/of a few) Image
@Suricata_IDS (13/of a few)
#Suricata SMB protocol log for session setup of user "bill.cook" and host "DESKTOP-MGVG60Z" #threathunting Image
@Suricata_IDS (14/of a few)
#Suricata DCERPC protocol logging can also help in highlighting movement in the #threathunting Image
@Suricata_IDS (16/of a few) With #suricata you can also see all protocol logs for a specific flow - matching on "flow_id". In the case attached we have
1 - KRB5 event
2 - Anomaly applayer
3 - Flow record
That all share the same flow_id, in this case - "1400760090402734" #threathunting ImageImage
@Suricata_IDS (21/of a few)
In #evebox we can also zoom on the same host or flow_id to get files transferred, flow records and #HTTP transactions.

tinyurl.com/22msb6ts

#suricata #threathunting #evebox ImageImageImage

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with pevma

pevma Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(