Suricata Datasets: Powerful IOC Checking and Anomaly Detection
HTML-код
- Опубликовано: 4 дек 2022
- Presented at SuriCon 2022 by Eric Leblond
Suricata 5 introduced the dataset feature into the code base. While this was way back in 2019, still many developers do not fully understand its capabilities. Suricata now has the ability to match on a list of more than 50 different buffers, and check a list of hostnames against an “unknown bad” database in the HTTP hostname or in the TLS Server Name Indication, or check an HTTP user agent list. And these lists may consist of just a few items or millions of them, and can be evaluated in real time without degrading the system performance. In an even-less-understood application, the dataset feature can be used to create a learned list, tracking what is seen on the network and when. This can be used to build a new class of machine-learning based anomaly detection. 
Развлечения
