[Oisf-users] Place to install Suricata

Cooper F. Nelson cnelson at ucsd.edu
Mon May 18 20:07:10 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'll agree with this.  We monitor multiple DMZ vlans and see 300k-1+
million ET alerts per 24-hour cycle.  This makes separating the signal
from the noise difficult.

Ideally you would want to deploy suricata as part of a "full-stack"
defense-in-depth deployment and have it deployed behind your
firewall/proxy architecture.

I understand many people want to "see everything", but at this point its
a given that your DMZ is going to attacked 24x7.

- -Coop

On 5/18/2015 1:46 AM, Christophe Vandeplas wrote:
> I would recommend to use that functionality to your advantage, and
> eliminate a LOT of the incoming traffic/noise.
> From my experience detecting APTs is usually done by finding outbound
> traffic (CnC), and traffic attacking your DMZ systems (published
> services). So the less noise the better, and the more time you can
> spend to do manual analysis of the alerts you will be getting.


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVWkZuAAoJEKIFRYQsa8FW2mYH/RaJxEmtLUXzJWAQc5ecuIXO
TMDzJ1GBgn1FHKJ7PNK1jEwUQ+IE5UxlZCc49pVulyjqOSXdOi3PVvi4hpxQ9Vi1
Gphq1AqGd5I79TEP8g0MscHJ43iQ2JdXeqfhVoJh38m+EN50FvSmZ98+53Tb29WK
A6nCIucjcU3IUbAGK5Pwp/ErGRlytwufuKBaplB5fa/QIS1gpY5T6dXuis7ZSUAZ
RogqmPAR0SzSYbuDG61l5OkaqKBlzptU9Z24zn/5GIG5mngyWM2JEzV5pk0mEfqi
B7lwUDwrIWIB8Pg0FJ5iJI5y7MDJIwzgCyNQIG9fewwUnXkHRMxOuCcSiG4QNCY=
=QrPZ
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list