Re: How To Incident Response

["lannoun@runbox.com" <lannoun@runbox.com>]

Hi Gunar,

> OK, but I must first point to a minor contradiction here: Your mail's
> subject talks about incident response, but you talk here about
> "performing installation". Those are two very different (although,
> yes, conceptually related) issues.


You right. Here is a longer explanation:

In suricata's official guide In order to do "incident response" I need 
Snorby or Sguil to perform analysis and learn more about attacks.

https://suricata.readthedocs.io/en/latest/make-sense-alerts.html

Quoting from the docs :"In many cases, looking at just the alert and the 
packet that triggered it won’t be enough to be conclusive. When running 
an IDS engine like Suricata, it’s always recommended to combine it with 
full packet capturing. Using tools like Sguil or Snorby, the full TCP 
session or UDP flow can be inspected.

For example, if a rule fired that indicates your web application is 
attacked, looking at the full TCP session might reveal that the web 
application replied with 404 not found. This will usually mean the 
attack failed. Usually, not always.

Obviously there is a lot more to Incidence Response, but this should get 
you started."


Of course next step is to install  Apache + mod-security, but this is 
another story.


> What framework is it built on? Which language does it use?

Laravel, PHP.



> Keep in mind that for the next release cycle you will probably also
> have to self-support Snort²,

I'm not planning to use snort.
AFAIK suricata is an alternative to snort.  And snort is unnecessary 
when using suricata. Right?


> The issue with Snorby or Sguil is not compiling them (as they are not
> compiled - Ruby and Tcl scripts respectively), but supporting them
> (it's up to you to track and update new upstream versions). It *might*
> not be much of a burden, but again, check the projects' history; some
> pieces of software are a manitenance nightmare.


Thanks for clarification. I'll do.