Suricata is the world-renowned IDS / IPS and NSM engine. It is capable of generating a combined log stream from separate information elements, including network protocol events, alerts, PCAP files (full packet capture), and extracted files as it sniffs live network traffic or sits inline.
Suricata has many use case scenarios with a broad detection capabilities and can natively ingest thousands of rules, lua scripts, and lists containing millions of IoCs.
In one detection scenario, we load a list of known bad IoCs from a third party threat intelligence provider (free or commercial). Suricata is threat intel provider agnostic and can ingest such IoC lists with ease and flexibility. In Suricata, these are called "datasets,” and they can be used to match (or not match) on many objects, including domains, file hashes, urls, user agents, JA3/JA3S hash values, hhttp hosts, TLS and SNI/TLS fingerprints, TLS Issuers, and many more.
In this hands-on session with Peter Manev, we aim to provide hands-on examples of these detection methods, showing you how to ingest a dataset of one million DNS IoCs. We will use open source tools such as Suricata Update and Scirius Community Edition, and demonstrate the proper system setup.