Glad it was helpful

Thanks!

I've released a follow-up that introduces a few options for visualisations and analytics: kzbin.info/www/bejne/gYioiIiVpa6nr8k

Thanks!

Thanks!

I've released a follow-up that introduces a few options for visualisations and analytics: kzbin.info/www/bejne/gYioiIiVpa6nr8k

Sounds like I'll need to make a follow-up!

I've released a follow-up that introduces a few options for visualisations and analytics: kzbin.info/www/bejne/gYioiIiVpa6nr8k

Thanks!

I've released a follow-up that introduces a few options for visualisations and analytics: kzbin.info/www/bejne/gYioiIiVpa6nr8k

Everybody loves a graph 😉

I've released a follow-up that introduces a few options for visualisations and analytics: kzbin.info/www/bejne/gYioiIiVpa6nr8k

Thanks. I know what you mean - logs are difficult to get excited about. Once it's tweaked to reduce false positives you can feed it into a security platform and have it email you when there's something to worry about.

I'll add it to the list, thanks!

I've released a follow-up that introduces a few options for visualisations and analytics: kzbin.info/www/bejne/gYioiIiVpa6nr8k

@@ProTechShow nice thank you for the follow up. Much appreciated

That's an impressive number of VLANs for a home network!

@@ProTechShow it works remarkably well and don’t even think about it normally. Btw for the network that have wireless access the ssids and the documentation each vlan/subnet is named after a planet in the solar system.

@@marksterling8286 that brings back a memory. One of our guys was onboarding a customer several years ago who named servers after planets, and he needed access to a particular server. Cue the question "Dave, can you let me into Uranus, please?" being asked loudly across the office before he realised what it sounded like!

I've released a follow-up that introduces a few options for visualisations and analytics: kzbin.info/www/bejne/gYioiIiVpa6nr8k

It depends what you want to monitor. If it's just traffic to/from the internet then the LAN side of your router may be a better choice. If you're using NAT then the WAN side will show outbound traffic from your router's public IP rather than your internal hosts, and you'll probably pick up a ton of alerts from random internet-based port scans and the like bouncing off your firewall. The LAN side should be quieter, showing only traffic that made it though your firewall, and with recognisable internal IPs. You don't have to use it just for internet traffic, though. If you forward ports from your internal network it can pick up on insecure LAN traffic (e.g. credentials passed around in plaintext) and indicators of lateral movement between hosts.

I'll add it to the list!

I've released a follow-up that introduces a few options for visualisations and analytics: kzbin.info/www/bejne/gYioiIiVpa6nr8k

Thanks!

Yes. Although I don't use it myself, Suricata is available as a package for pfSense. Have a search in the package manager after installing pfSense.

@@ProTechShow thanks !!!

Prefix the command with "sudo" to elevate your permissons

THANK YOUU @@ProTechShow

how do i use hyper V on rocky and do i need to download it ?@@ProTechShow

im using virtualbox , where do i need to install hyper v , is it on rocky or windows ?@@ProTechShow

Hyper-V is the Windows hypervisor. You enable it as a role after installing Windows. Usually (unless testing something), you want to run it on bare metal. The equivalent for Rocky Linux would be KVM.

I haven't got a copy of OPNsense installed at the moment to check. I'm running Suricata standalone and feeding its alerts to Wazuh, with Wazuh doing the alerting.

More than you might initially expect. It can't see through the encryption, but it can see the DNS request, the layer 4 stuff like IP address you're connecting to and protocol used, and the TLS handshake from which it can get the hostname requested via SNI, details of the server's TLS certificate, indications of attempted TLS exploits like POODLE, etc. It can't read the data once the TLS session is established, but it has a pretty good idea who you're talking to, so it can alert you that a device on your network is communicating with a website known to act as a command and control server for a particular family of malware, or with a website whose TLS certificate was issued by a certificate authority with loose standards that is known to be used by bad actors, etc.

"Free" SIEM tools usually require a lot of manual effort as they're very light on correlation rules and threat intelligence compared to paid tools (essentially, you pay for the threat data, not the tool). If you're willing to put the effort in, Wazuh or Elasticsearch are probably your best free options. OSSIM is another one if you don't need to keep the logs for a long period, but if it's for professional use that would normally rule it out.

Well, the installer does... but you probably need to install WinPcap separately as well, and then it's over to text files and command line to configure/use it. Personally, I think it will be less user-friendly - especially if you hit a problem and need to Google it! Typically, you have Suricata running invisibly in the background and you surface the data in a separate visualisation tool that is likely pulling information from a number of other sources as well. If people want it I'll cover that in a later video. If you want something that will give you a GUI to use straight out of the box you're not after Suricata itself but a security product that has already integrated Suricata. I'll try and test a few free ones before I make a follow-up so I can include a "if you can't be bothered with this integration stuff, here's an easy option" alternative.

Not quite what you were asking for; but I've released a follow-up that introduces a few options for visualisations and analytics, and I give a brief mention to IDSTower at the end which isn't really the focus of the video but does provide a web interface for installing and configuring Suricata: kzbin.info/www/bejne/gYioiIiVpa6nr8k

Too much CLI for me

I used to work with a guy whose catchphrase was "Where there's a wizard there's a way!" (Referring to the "next, next, finish" type of wizard, not the Gandalf type... do people still call those wizards?)

@@ProTechShow Software use "Setup Assistant" nowadays. I prefer wizards though!

"Where there's a setup assistant there's a way" just doesnt have the same ring to it...

I've released a follow-up that introduces a few options for visualisations and analytics. There's also a brief mention of IDSTower at the end which isn't for visualising data, but does let you install Suricata using a web interface instead of command line: kzbin.info/www/bejne/gYioiIiVpa6nr8k

I'm surprised I didn't have to fish this comment out of the bin. KZbin usually blocks anything that looks like it contains commands or code, and I have to go through and unblock them. Maybe it's because you said "sudo". 😆