Hackzone Cyber Security Blog

Tag: Network Security Page 2 of 3

How-to-View-Offending-Domains-in-Suricata-Alerts

πŸ“Š How to View Offending Domains in Suricata Alerts: A Step-by-Step Guide πŸ›‘οΈ

By

On August 27, 2024

In CyberSecurity, Network Security

If you’re using Suricata for network security, monitoring and analyzing alerts is crucial. One important aspect is identifying offending domains that trigger alerts. This step-by-step guide will show you how to view these domains, ensuring you can take timely action to secure your network.

πŸ“‹ Table of Contents

  1. Introduction
  2. Step 1: Set Up Suricata
  3. Step 2: Write a DNS Alert Rule
  4. Step 3: Enable Payload Printing
  5. Step 4: Check the Logs
  6. Step 5: Analyze Alerts
  7. Conclusion

Introduction

Suricata is a powerful open-source IDS/IPS capable of monitoring network traffic and detecting suspicious activities. If you’re looking to pinpoint domains that trigger alerts, this guide will walk you through the process. By following these steps, you’ll enhance your network monitoring and response capabilities.

Step 1: Set Up Suricata πŸ”§

Before diving into DNS alerts, ensure Suricata is properly installed and configured on your system. If you haven’t set it up yet, refer to the Suricata Quickstart Guide for installation and basic configuration instructions. This will ensure you have a working base to build upon.

Step 2: Write a DNS Alert Rule πŸ“

To capture DNS queries and identify offending domains, you need to create a custom alert rule. Here’s an example rule that you can add to your Suricata configuration:

alert dns any any -> any any (msg:"BAD URL IN DNS QUERY"; dns.query; dataset:isset,domains-bl64; classtype:bad-unknown; sid:90000001; rev:1;)

Explanation:

  • alert dns any any -> any any: This part defines the rule for DNS traffic.
  • msg:"BAD URL IN DNS QUERY": The message that will be logged when the rule is triggered.
  • dns.query: Specifies that the rule applies to DNS queries.
  • dataset:isset,domains-bl64: Checks the DNS query against a dataset of known bad domains.
  • classtype:bad-unknown: The classification of the alert.
  • sid:90000001: A unique identifier for the rule.
  • rev:1: The revision number of the rule.

Step 3: Enable Payload Printing πŸ–¨οΈ

To see the actual domain names that triggered the alerts, you need to enable payload printing. Modify your suricata.yaml file to include the following settings:

types:
  - alert:
      payload: yes
      payload-printable: yes

Explanation:

  • payload: yes: Enables payload printing.
  • payload-printable: yes: Ensures the payload is displayed in a readable format.

These settings will allow Suricata to include the DNS query payload in the alert logs, making it easier to see which domains triggered the alerts.

Step 4: Check the Logs πŸ“‚

Once your rule is set and payload printing is enabled, you need to monitor your Suricata logs for alerts. Logs are typically stored in /var/log/suricata/. To view real-time alerts, use the following command:

bashCopy codesudo tail -f /var/log/suricata/eve.json

Explanation:

  • sudo tail -f: Displays the end of the log file in real-time.
  • /var/log/suricata/eve.json: The file where Suricata writes JSON formatted logs.

This command will show you the latest alerts, including the domains that triggered them.

Step 5: Analyze Alerts πŸ”

With your logs open, look for entries that correspond to your DNS alert rule. The output will include details such as:

  • Offending Domain: The domain name that matched the rule.
  • Timestamp: When the alert was triggered.
  • Source and Destination IPs: Information about where the query came from and where it was directed.

By analyzing these entries, you can identify and investigate potentially malicious domains, taking necessary actions to secure your network.

Conclusion πŸŽ‰

By following these steps, you can effectively view and analyze offending domains in Suricata alerts. This process enhances your ability to monitor and respond to potential threats, strengthening your network security posture. For ongoing protection, regularly update your rules and monitor your logs.

Feel free to reach out if you have any questions or need further assistance with Suricata! 😊

How to Install Suricata on pfSense

How to Install Suricata on pfSense: A Step-by-Step Guide

By

On August 25, 2024

In CyberSecurity, Network Security

Looking to enhance your network security with Suricata on pfSense? This comprehensive guide will walk you through the installation and configuration process, making it easy to set up this powerful Intrusion Detection System (IDS) on your pfSense firewall.

Table of contents

Introduction

Suricata is a versatile and powerful open-source network threat detection engine that can function as an IDS, IPS, and network security monitoring tool. When paired with pfSense, a popular open-source firewall and router platform, Suricata provides robust protection against network intrusions. In this guide, we’ll show you how to install and configure Suricata on pfSense, step by step.

Why Choose Suricata for pfSense?

Suricata offers several advantages when integrated with pfSense:

  • Deep Packet Inspection: Suricata provides comprehensive inspection of network traffic.
  • High Performance: It is optimized for multi-threading, making it suitable for modern networks.
  • Customizable Rules: Suricata allows for custom rule sets tailored to your specific security needs.
  • Real-Time Alerts: Get instant notifications when potential threats are detected.

Step 1: Preparing Your pfSense Environment πŸ”§

Before we dive into the installation, ensure that your pfSense environment is up to date and ready for Suricata.

  1. Log in to pfSense: Access your pfSense dashboard via your web browser.
  2. Update pfSense: Navigate to System > Update and apply any available updates to ensure you’re running the latest version.
  3. Backup Your Configuration: It’s always good practice to back up your pfSense configuration before making major changes. Go to Diagnostics > Backup & Restore and create a backup.

Step 2: Installing Suricata on pfSense πŸ“¦

Installing Suricata on pfSense is straightforward thanks to its integration into the pfSense package manager.

  1. Access the Package Manager: In your pfSense dashboard, go to System > Package Manager.
  2. Install Suricata:
    • Click on the Available Packages tab.
    • Search for Suricata.
    • Click Install and then Confirm. Wait for the installation to complete.

Step 3: Configuring Suricata on pfSense βš™οΈ

Once installed, it’s time to configure Suricata to suit your network security needs.

Interface Configuration 🌐

  1. Navigate to Suricata Settings: Go to Services > Suricata.
  2. Add an Interface:
    • Click on the Interfaces tab.
    • Click + Add to create a new Suricata interface.
    • Select the network interface you want Suricata to monitor (e.g., WAN or LAN).
    • Configure the interface settings, including enabling the interface and selecting your desired IPS mode.
  3. Save and Apply: After configuring the interface, click Save and then Apply Changes.

Setting Up Suricata Rules πŸ“„

Suricata relies on rule sets to detect potential threats. Let’s configure those now.

  1. Download Rule Sets:
    • Go to the Updates tab within Suricata.
    • Enable automatic updates for the Emerging Threats (ET) rules or any other rule sets you prefer.
    • Click Update to download the latest rules.
  2. Assign Rules to Interfaces:
    • Go to the Rules tab.
    • Assign rule categories to the Suricata interface(s) you configured.
    • Enable or disable specific rules based on your network security needs.

Configuring Alerts and Logging πŸ””

Proper alerting and logging are essential for monitoring your network security.

  1. Enable Logging:
    • Go to the Logging tab.
    • Enable EVE JSON output to get detailed logs.
    • Configure the log retention settings according to your storage capabilities.
  2. Set Up Alerts:
    • Under the Alerts tab, configure how and when Suricata should alert you.
    • You can also integrate with external logging systems like Syslog or Splunk for centralized monitoring.

Step 4: Testing Your Suricata Setup πŸ§ͺ

Testing is a crucial step to ensure Suricata is working as expected.

Generate Test Traffic: Use tools like nmap to simulate network traffic and trigger Suricata alerts.

nmap -sS -Pn -p 80,443 <your-pfsense-ip>

Check Logs: Go to the Logs tab in Suricata and verify that alerts are being generated and logged as expected.

Step 5: Fine-Tuning Suricata for Optimal Performance 🎯

To get the best performance out of Suricata on pfSense, consider the following tips:

  • Adjust Rule Sets: Disable unnecessary rules that may slow down performance or generate false positives.
  • Optimize Hardware Settings: Ensure your pfSense hardware is adequate for the network load. Consider enabling multi-threading in Suricata for better performance.
  • Regular Updates: Keep both pfSense and Suricata rules up to date to protect against the latest threats.

Conclusion πŸŽ‰

Congratulations! You have successfully installed and configured Suricata on pfSense. Your network is now fortified with one of the most powerful IDS/IPS tools available. Remember to regularly monitor your logs, update your rules, and fine-tune your settings to maintain optimal security.

Have any questions or run into issues? Drop a comment below, and we’ll be happy to help! 😊

Step-by-Step Guide: How to Install and Configure Suricata IDS on Kali Purple

By

On August 25, 2024

In CyberSecurity, Network Security

Protect your network with Suricata! Learn how to install and configure this powerful Intrusion Detection System (IDS) on Kali Purple with our easy-to-follow guide. Whether you’re a cybersecurity enthusiast or a seasoned professional, this guide will help you secure your network in no time.

πŸ“‹ Table of Contents

  1. Introduction
  2. Step 1: Update Your System πŸ”„
  3. Step 2: Install Suricata πŸ“¦
  4. Step 3: Verify the Installation βœ…
  5. Step 4: Configure Suricata βš™οΈ
  6. Step 5: Download and Update Suricata Rules πŸ“„
  7. Step 6: Start Suricata πŸš€
  8. Step 7: Test the Installation πŸ§ͺ
  9. Step 8: Automate Suricata Startup πŸ”§
  10. Conclusion πŸŽ‰

Introduction

Suricata is an open-source network threat detection engine that can function as an IDS, IPS, and Network Security Monitoring (NSM) tool. With Kali Purple, you have a powerful platform at your fingertips for enhancing your network security. In this guide, we’ll walk you through the steps to install and configure Suricata, complete with examples to make the process easy and intuitive.

Step 1: Update Your System πŸ”„

Before we dive into installing Suricata, let’s ensure your Kali Purple system is up to date. Running updates regularly helps you avoid potential compatibility issues.

sudo apt update && sudo apt upgrade -y

Step 2: Install Suricata πŸ“¦

Suricata is available directly from the Kali Linux repositories, making installation a breeze.

sudo apt install suricata -y

Step 3: Verify the Installation βœ…

Let’s confirm that Suricata has been installed correctly. This step will give you peace of mind knowing everything is in place.

suricata --build-info

This command provides detailed information about your Suricata installation, including the version and compile-time options.

Step 4: Configure Suricata βš™οΈ

Now, it’s time to configure Suricata to fit your network environment.

Set the Network Interface 🌐

Suricata needs to know which network interface to monitor. Open the configuration file and make the necessary adjustments.

sudo nano /etc/suricata/suricata.yaml

Inside the file, locate the af-packet section and set your network interface.

af-packet:
  - interface: eth0
    threads: auto
    defrag: yes
    cluster-type: cluster_flow
    cluster-id: 99
    copy-mode: ips
    checksum-checks: auto

Configure Logging πŸ“

Proper logging ensures you have the data needed for analysis. Here’s an example configuration:

default-log-dir: /var/log/suricata/

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      types:
        - alert:
        - http:
        - dns:
        - tls:
        - ssh:
        - flow:

Step 5: Download and Update Suricata Rules πŸ“„

Suricata uses rules to detect potential threats. Keeping these rules up to date is crucial.

Install suricata-update:

sudo apt install python3-pip 
sudo pip3 install --pre --upgrade suricata-update

Update Rules:Download the latest rule sets.

sudo suricata-update

Verify the Rule Configuration:Ensure the rules are configured correctly.

sudo suricata -T -c /etc/suricata/suricata.yaml

Step 6: Start Suricata πŸš€

Now that Suricata is configured, it’s time to start it up!

IDS Mode (monitoring only):

sudo suricata -c /etc/suricata/suricata.yaml -i eth0
  • IPS Mode (monitoring and blocking):
sudo suricata -c /etc/suricata/suricata.yaml --af-packet=eth0

Step 7: Test the Installation πŸ§ͺ

Test Suricata by generating some network traffic. Use nmap or another tool to initiate traffic that should trigger alerts.

nmap -sS -Pn -p 80,443 <target-ip>

Check the logs:

tail -f /var/log/suricata/eve.json

You should see alerts matching the traffic.

Step 8: Automate Suricata Startup πŸ”§

To ensure Suricata starts automatically when your system boots, enable it as a service.

sudo systemctl enable suricata
sudo systemctl start suricata

Conclusion πŸŽ‰

Congratulations! You’ve successfully installed and configured Suricata IDS on Kali Purple. Your network is now better protected against potential threats. Regularly update your rules and monitor your logs to maintain robust security.

Feel free to share your experiences or ask questions in the comments below! 😊

How ‘Muddled Libra’ Cybercrime Group Exploits BPO Sector with Sophisticated Social Engineering Techniques

By

On June 24, 2023

In CyberSecurity, Phishing Attack

The BPO sector is currently under attack by a cybercrime group known as Muddled Libra, which employs sophisticated social engineering tactics to gain unauthorized access. These persistent attacks have raised concerns within the cybersecurity community.

Palo Alto Networks Unit 42, in a technical report, revealed that the emergence of the 0ktapus phishing kit in late 2022 introduced a new attack style associated with Muddled Libra. The kit provided a ready-made hosting framework and bundled templates, leading to its widespread adoption. The name “Libra” is used by the cybersecurity company to designate cybercrime groups, while the term “muddled” reflects the uncertainty surrounding the utilization of the 0ktapus framework.

The 0ktapus framework, also referred to as Scatter Swine, was initially discovered in August 2022 in connection with smishing attacks on numerous organizations, including Twilio and Cloudflare. CrowdStrike later disclosed a series of cyber assaults targeting telecom and BPO companies since June 2022. These attacks involved a combination of credential phishing and SIM swapping, and the cluster responsible for them is tracked under different names, such as Roasted 0ktapus, Scattered Spider, and UNC3944.

Kristopher Russo, a senior threat researcher, explained that Muddled Libra was named due to the perplexing landscape surrounding the 0ktapus phishing kit. He noted that while many threat actors have incorporated the kit into their arsenal, merely using it does not classify them as part of Muddled Libra, according to Unit 42’s classification.

The attacks initiated by this e-crime group employ smishing and the 0ktapus phishing kit to gain initial access. They typically culminate in data theft and the establishment of long-term persistence. Another notable characteristic is the group’s utilization of compromised infrastructure and stolen data to carry out subsequent attacks on the customers of their victims. In some instances, they even target the same victims repeatedly to replenish their dataset.

Unit 42, after investigating several Muddled Libra incidents from June 2022 to early 2023, described the group as relentless, methodical, and highly adaptable in their attack strategies. They swiftly adjust their tactics when faced with obstacles. Alongside using a variety of legitimate remote management tools to maintain persistent access, Muddled Libra tamper with endpoint security solutions to evade detection. They also exploit the fatigue caused by multi-factor authentication (MFA) notifications to steal credentials.

Furthermore, the threat actors have been observed gathering lists of employees, their job roles, and cellular phone numbers to execute smishing and prompt bombing attacks. If this approach fails, Muddled Libra actors resort to contacting the organization’s help desk, pretending to be the victims, in order to enroll a new MFA device under their control.

The researchers emphasized the notable success of Muddled Libra’s social engineering tactics. They have demonstrated a remarkable level of confidence when interacting with help desk personnel and other employees over the phone, successfully persuading them to engage in unsafe actions.

The attacks also involve the use of credential-stealing tools like Mimikatz and Raccoon Stealer to escalate privileges. Additionally, various scanners are employed for network discovery, enabling the extraction of data from platforms such as Confluence, Jira, Git, Elastic, Microsoft 365, and internal messaging systems.

Unit 42 speculated that the creators of the 0ktapus phishing kit do not possess the same advanced capabilities as Muddled Libra, and despite some similarities in their tradecraft, there is no definitive connection between the actor and UNC3944.

what is arkime (moloch)?

By

On March 29, 2023

In CyberSecurity, Ethical Hacking, Network Security

Arkime, formerly known as Moloch, is a powerful tool for full packet capture and analysis. It offers a wide range of features that make it a must-have tool for network security professionals. Some of the main features of Arkime include:

  1. Packet capture: Arkime can capture all network traffic passing through a particular network interface, allowing security analysts to analyze the traffic and identify potential threats.
  2. Indexing and search: Arkime uses Elasticsearch to store and index captured packets, which makes it easy for analysts to search for specific packets or packets containing specific patterns or keywords.
  3. Web-based user interface: Arkime includes a powerful web-based user interface that allows analysts to search and analyze captured traffic, as well as visualize network traffic data in real-time. The user interface is highly customizable, and analysts can create custom dashboards and visualizations to meet their specific needs.
  4. Advanced analysis capabilities: Arkime can perform advanced network traffic analysis, including protocol decoding, session reassembly, and file carving. This makes it possible for analysts to detect and investigate a wide range of security threats, including malware, phishing attacks, and data exfiltration.
  5. Support for multiple file formats: Arkime can capture and analyze a wide range of network protocols, including TCP, UDP, HTTP, and SSL. It also supports a variety of file formats, including PCAP, JSON, and ASCII.
  6. Scalability: Arkime is designed to be highly scalable, and it can be deployed in large-scale environments. It can handle large amounts of network traffic data, making it suitable for use in high-bandwidth environments.

Overall, Arkime is a comprehensive tool that offers a wide range of features for full packet capture and analysis. Its advanced analysis capabilities, support for multiple file formats, and scalability make it a must-have tool for any organization that needs to monitor and secure its network.

Page 2 of 3

Previous

Next

Powered by WordPress & Theme by Anders Norén