HIDS is a bit more interesting - most tools are open source here (ossec or tripwire), but some closed-source tools do similar things (eg, crowdstrike). Similar closed-source NIDS tools would be fireeye or darktrace (amongst many others). This might be system files being modified, new users being added or permissions changing on sensitive files, just to name a few. It operates by running directly on an endpoint (eg, a server, a desktop, a laptop) and detecting unusual activity on the computer, which doesn’t have to be network based. Ossec is a host-based intrusion detection system, or HIDS. This might be a DoS attempt, port scanning, or almost any other sort of network-based attack. It operates by looking at network traffic and attempting to detect attacks and other unusual network activity. Snort is a network intrusion detection system, usually called a NIDS, or more typically just an IDS (you’ll also see IPS and/or NIPS, which is an intrusion prevention system, ie, it’s configured to block these attacks). Snort and ossec are both detection tools, but they’re not really the same in function although they do similar things. Think of splunk as an engine for processing data from other systems. Splunk itself doesn’t detect/create raw events, it simply helps you search and correlate them (amongst other things). If you threw every resource at the one detection and needed it the instant it happened then you could probably get it down to 15-30 seconds, depending on what you’re trying to detect.Īlso: just to clarify, splunk would consume the logs from other detection tools like ossec and snort. If you don’t have ES then you’ll likely need to write your own correlation search to find the attacks.ĭetection time for something like a brute force attack in a properly configured ES environment will be between 5-10 minutes for most organisations. All tools require configuration to correctly detect attacks, and even more so when you need to connect detection tools like snort and ossec with a data analytics and correlation tool like splunk, then generate alerts off the back of that. You could easily stand up Elastic and Splunk both, then try doing something similar in each, to compare/contrast them in different ways. You would want to compare Splunk to other SIEMs or other tools for analyzing machine data, if you specifically wanted to compare Splunk to something. So comparing it to those two isn't the right kind of comparison to make. Splunk isn't a detection tool like OSSEC and Snort (as u/jrz302 said). (Obviously, this assumes that your router can forward logs some consumer routers can't.)ĮDIT: I should have read your comparing statement more fully, my bad. Feeble attacks, perhaps, but it addresses your use case. Those right there are attacks on a network. You'll immediately see the router blocking a LOT of connection attempts on port 22. Then configure your router to send its logs to the Splunk machine on the port you designated when you told Splunk to listen. Once it's installed, have it listen for incoming data (default is 9997). To be honest, the absolute easiest way to do this is install Splunk in a place where your home router can reach it. Once you have that snort data in splunk, then you can correlate that to WinEventLogs, start detecting lateral movement with DNS logs, the list goes on and on. You should also consider quality of the Alert as well. Technically, if you have snort detect something, and then ingest it into Splunk snort will always be slightly faster because it is the source of the information, but you shouldn't just consider speed. That's where ES Comes in and you can set up correlation rules to better hunt for threats. If you don't have ES, you're looking at setting up alerts manually yourself. Once you have that information in Splunk then you can start alerting on it and doing stuff with it. Take your pick of logs and you can ingest it into Splunk. For example you can have information from WinEventLogs, snort, DNS entries, Tanium, AD, Exchange. The advantage of using Splunk itself to do the Alerting and detecting is that you can have the data from many different tools in one place. Yes, Splunk takes data from other sources and ingests them into it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |