Suricata Automation for Blue Team Simulation

[PolymorphicOpcode]

What are your thoughts about using Suricata for an IDS? I don't have experience with it, but would love to deep dive if it would be helpful! That's the solution that seems most obvious to me, but maybe someone has experience with another? Feel free to respond with suggestions :)

[minispooner]

hi thanks for helping out! I was glancing at this article below. I gotta look deeper into this, the past few days I've been more concentrated on prepping the project for collaborators, haven't looked too deeply into a blue bot yet or options there. https://www.blackhillsinfosec.com/wp-content/uploads/2021/03/SLIDES_OpenandFreeEDR.pdf we should assess several and compare them to see which would be best. that may include building a few of them then choosing the best 🤷

[minispooner]

alright I did some research tonight on options and the most common ones seem to be the major enterprise ones. most have trials but I don't want registration to be a pre-req to using this lab, plus the trials expire. and I didn't see any of those with free tiers. so an open source version is probably best in this case. we'd probably want most common, and key features would be a dashboard/alert system.

[minispooner]

looks like these often split roles like file integrity monitoring, network traffic analysis, data loss prevention, etc OS solutions I've come across a few times now: OSSEC Tripwire Wazuh Open DLP Open EDR Samhain

I'm leaning away from network analysis tools like zeek & snort and more interested in one overarching EDS like Wazuh or OSSEC. Sounds like Tripwire doesn't have active alerting.

[minispooner]

@PolymorphicOpcode you interested in setting up Wazuh or OSSEC as services in the Docker compose file to see how they work and how to onboard the other machines to the monitoring?