Suricata is the world-renowned IDS / IPS and NSM engine. It is capable of generating a combined log stream from separate information elements, including network protocol events, alerts, PCAP files (full packet capture), and extracted files as it sniffs live network traffic or sits inline.
Each event produced by Suricata is identified by its own type. One of many features of Suricata is the production of ICMP transaction logs. In Suricata, these are referred to as event type ICMPv4 or ICMPv6. It is common for ICMP events to be verbose, and they are often discarded/prohibited on the enterprise network. Additionally ICMP is used by different malware tools or groups. For example, the ICMP (pings) are known to be use by malware for command and control or data exfiltration.
In this webinar, Peter Manev (@pevma) will provide hands-on training on how to create custom visualizations and dashboards for threat hunting and detection of ICMP-related such malicious activity.
We will also explore some traffic generated by publicly available backdoor and CnC OSS tools and identify detection mechanisms for those cases.
Save the date: May 04, Thursday, 2 pm (GMT).
Zoom Webinar link will be shared the day of the webinar.
The webinar will be recorded and posted on our OISF YouTube channel as well.