Suricata is the world-renowned IDS / IPS and NSM engine. It is capable of generating a combined log stream from separate information elements, including network protocol events, alerts, PCAP files (full packet capture), and extracted files as it sniffs live network traffic or sits inline.
Suricata produces over 25 different types of log data, including protocol and decoding anomalies, alerts, and many other network transaction protocol events. Each of the events produced by Suricata has its own type. Two of those log types are SMB and DCERPC. These are produced by Suricata based on its native auto protocol parsing and logging capability.
As fundamental elements of the Microsoft Windows and Active Directory infrastructure, various versions of the SMB/DCERPC protocols are natively used by enterprises of all sizes.
Unfortunately these are often used by threat actors for lateral movement once a breach beachhead has been established in the organization.This is where the Suricata event type SMB and DCERPC logs become very helpful in hunting scenarios.
In this 3-part webinar series, we aim to take a thorough hands-on approach to show you how to use Suricata’s SMB and DCERPC logs for lateral detection.
The series covers hunting approaches with pure network transaction data and explains where, how, and when it makes sense to write a signature for a specific use case.
Part 1 will explain the basics of lateral detection and the data Suricata provides in terms of SMB and DCERPC protocol logging.
Parts 1 and 2 will concentrate exclusively on giving you a baseline understanding and introducing you to hunting with the SMB/DCERPC log data. This includes using different aspects of the MS protocols like UUIDs/DCERPC opnum/versions and similar.
In Part 3, we will explore different techniques for writing signatures using the latest Suricata features for lateral detection.