Earlier today I re-created my SecurityOnion VM, and turned on the port mirroring on my TP-LINK switch. One thing I still need to figure out is if I need to mirror both ingress/egress on separate ports or is it a 1-for-1.
I signed up for IBM X-Force Intel feeds, AlienVault OTX Threat Feeds, and Critical Threat feeds. Currently, I only set up on the AlienVault OTX threats as I am not sure if I can have multiple threats loaded. I think I can just have not had time to read through everything.
I used the guide found at SecurityOnion OTX Intel Threat setup with Bro(Zeek).
Overall the instructions provided by the SecurityOnion team were easy to follow and ran into no errors. One thing I would have like but understand from a security point of view was the input of the API key. It a blank field and no cursor movement to see if you have put in a specific number of characters. I used cut/paste on my second attempt (first one I tried to hand copy from my main machine to the VM)
Now to sit back and watch Bro and Suricata report back what's going on my network. Next project will be adding a Splunk forwarder. I know there is Kibana, but I would like to have the option for both.
Can anyone think of any other type of files/feeds I should be ingesting in Bro/Suricata? Or another application to run on SecurityOnion?
I signed up for IBM X-Force Intel feeds, AlienVault OTX Threat Feeds, and Critical Threat feeds. Currently, I only set up on the AlienVault OTX threats as I am not sure if I can have multiple threats loaded. I think I can just have not had time to read through everything.
I used the guide found at SecurityOnion OTX Intel Threat setup with Bro(Zeek).
Overall the instructions provided by the SecurityOnion team were easy to follow and ran into no errors. One thing I would have like but understand from a security point of view was the input of the API key. It a blank field and no cursor movement to see if you have put in a specific number of characters. I used cut/paste on my second attempt (first one I tried to hand copy from my main machine to the VM)
Now to sit back and watch Bro and Suricata report back what's going on my network. Next project will be adding a Splunk forwarder. I know there is Kibana, but I would like to have the option for both.
Can anyone think of any other type of files/feeds I should be ingesting in Bro/Suricata? Or another application to run on SecurityOnion?
No comments:
Post a Comment