Is there a better way to inject and analyze Suricata data on the pfsense. The WebGUI just inst great.
Today I received an alert for
INDICATOR-SHELLCODE x86 inc ebx NOOP
ET SHELLCODE Common 0a0a0a0a Heap Spray String
Because I have no payload to analyze and the event is in the past its impossible to know if I have a compromised system or a false positive.
To get better insights you need full packet capture from a tool such as https://securityonionsolutions.com/ that would track not only the alert but all the related connections.
i think i saw this. So i would need something like filebeat or something else to get those Suricata logs into SO?
SecurityOnion can ingest logs, but also it has Suricata along with the packet inspection.
Right but how do i get those logs off the pfsense and into securityonion? Or do I just point SO to the pfsense in the directories where the suricata logs are found?
No, just use SecurityOnion for Suricata instead.
Ahh gotcha. Thanks Tom.
That particular alert also pops up if you have some suricata instance that fetches signature updates in cleartext while another suricata instance is monitoring the download. Suricata sees some string in the signatures (because its own signatures contain the same string to look for).