Currently I have my Emerging Threats being run through Suricata, and the OTX being run through Zeek on my SecurityOnion which then feeds to my Splunk instance. I seem to have already broken my Kibana (will have to research that next - side panels run, but its all white space where the actual data should be).
After reading a few articles:
Malware Analysis
IDS alert challenge
Splunk Enterprise Security
IDS rules for PulledPork
Now I know that SecurityOnion uses pulledpork currently for its rule management, but I believe in future versions it will be moving to Suricata-update (well at least for Suricata). But that does not matter currently.
Emerging Threats updates a file called downloaded.rules, and OTX created a file called otx.dat, these both hold the rules which can be either parsed into an index or TSV/CSV out into a lookup table.
Currently, I am trying to decide which way would be the most beneficial to most me, and other users of my system.
I also think there is at least another file that goes with the Snort VRT which goes into further details based on the SID and is called the opensource.gz For Emerging Threats it is called SID-Descriptions-ETOpen.json.gz which I think provides the same information for that rule set.
I am leaning towards putting the rules into an index, but I could be swayed either way, or to not even try this, but I think this has potential for analysts who try and hunt, to be able to look back at what signatures are hit on, and not have to Google every one of them.
After reading a few articles:
Malware Analysis
IDS alert challenge
Splunk Enterprise Security
IDS rules for PulledPork
Now I know that SecurityOnion uses pulledpork currently for its rule management, but I believe in future versions it will be moving to Suricata-update (well at least for Suricata). But that does not matter currently.
Emerging Threats updates a file called downloaded.rules, and OTX created a file called otx.dat, these both hold the rules which can be either parsed into an index or TSV/CSV out into a lookup table.
Currently, I am trying to decide which way would be the most beneficial to most me, and other users of my system.
I also think there is at least another file that goes with the Snort VRT which goes into further details based on the SID and is called the opensource.gz For Emerging Threats it is called SID-Descriptions-ETOpen.json.gz which I think provides the same information for that rule set.
I am leaning towards putting the rules into an index, but I could be swayed either way, or to not even try this, but I think this has potential for analysts who try and hunt, to be able to look back at what signatures are hit on, and not have to Google every one of them.
No comments:
Post a Comment