[Oisf-users] Suricata Heartbeat Alert
Cooper F. Nelson
cnelson at ucsd.edu
Tue Aug 1 16:52:22 UTC 2017
Indeed. If I was doing something like this for a SOC, I would have it
generate a test alert + ticket at the beginning of every SOC rotation,
to be reviewed and closed by the on-call handler. Then have an
automated process to alert the SOC management if that doesn't happen.
I can also see value in creating a suite of unit test rules, one for
each protocol and detection mechanism. Then have scheduled tests and
produce an automated "PASS/FAIL" for each unit test. For example,
testing file extraction and confirming via a SHA256 checksum.
Back in the day there was also a piece of software called 'snot', that
could be used to generated packets from snort rules, in order to help
test an IDS.
-Coop
On 8/1/2017 4:13 AM, Kerry Milestone wrote:
> In many ways, I believe the heartbeat for something like an IDS must be
> out-of-band which tests the entire service platform and not just the
> application itself.
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170801/b33470fd/attachment-0002.sig>
More information about the Oisf-users
mailing list