Suricata IDS rule authoring for suspicious lateral movement

4920 views

                  alert tcp $HOME_NET any -> $HOME_NET 445 (
  msg:"Possible SMB lateral movement enumeration";
  flow:to_server,established;
  content:"|FF|SMB"; depth:4;
  threshold:type both, track by_src, count 15, seconds 60;
  sid:1000001; rev:1;
)

Detection engineering works best when the rule reflects a behavior you can explain, not just a string that looked scary once. I use Suricata for network patterns that are specific enough to matter operationally. Rule quality is a maintenance problem as much as a syntax problem.

Kai Nakamura

More from Kai Nakamura

Suricata IDS rule authoring for suspicious lateral movement

0 Comments

More from Kai Nakamura