running malcom but the old malcolm - need to image and install latest - sort of dread going from debian to ubuntu but if i image i can revert easily. maybe they figured out updating, i don't want github only updates.

anyways it is a good one to offer vs say security onion - they use the same components mostly, suricata, zeek, elastic, maybe he has a live iso like last time.

i think the reason to go to ubuntu is better newer drivers, bigger dev base? as long as it works - that is my concern, avoid dependency hell and breakage.

it is good with managing all the containers and space for /datastore #sigs #hashes #dpi #netflow #ntop-ng #tcp-replay #binaries #hashcat

Shiba Inu Records -131 Billion in 24 Hours: Negative Netflow Signals Growing

https://misryoum.com/us/economy/shiba-inu-records-131-billion-in-24-hours/

SHIB exchange flow is hinting at another rallyShiba Inu OI flips positive with 2.24% surgeThe Shiba Inu exchange netflow has gone extremely negative despite the weak price trend, suggesting that retail and institutional traders are quietly accumulating the asset...

#Shiba #Inu #Records #131 #Billion #Hours #Negative #Netflow #Signals #Growing #US_News_Hub #misryoum_com

Yes, You Too Can Be An Evil Network Overlord - On The Cheap With OpenBSD, pflow And nfsen https://nxdomain.no/~peter/yes_you_too_can_be_an_evil_network_verlord.html

A story about network metadata and #openbsd, originally from 2014, good for reprising. See The Book of PF for more #nfsen #netflow #pflow #monitoring #networking #security #pf #packetfilter #bookofPF @nostarch

@da_667 i would say go for the standalonelib? this would be a nice switch to use when building, more info is better #ntop-ng #netflow #logs

Using nDPI as a standalone library when building Suricata is a powerful way to transform it from a traditional signature-based IDS/IPS into a smarter, more context-aware network security monitoring system. The integration addresses several key limitations of Suricata by adding a dedicated, high-performance deep packet inspection (DPI) engine .

The table below summarizes the core reasons for this integration.
Reason Explanation Key Benefits
Massively Expanded Protocol Coverage Suricata natively supports ~20 protocols, while nDPI recognizes 450+ (including Cloud, IoT, and OT protocols) . Enables visibility into a wider range of applications and potential threats that Suricata would otherwise miss .
Enhanced Threat Detection Capabilities nDPI adds behavioral analysis and risk detection to Suricata's signature-based approach . Allows detection of anomalies like encrypted traffic on standard ports, self-signed certificates, and command-and-control (C2) channels hiding in plain sight .
More Powerful and Precise Rules The plugin introduces new rule keywords: ndpi-protocol and ndpi-risk . Enables writing rules based on detected application (e.g., TLS.YouTube) or specific risk (e.g., NDPI_BINARY_APPLICATION_TRANSFER), significantly reducing false positives .
Richer Contextual Metadata Suricata's logs (EVE JSON) can be augmented with protocol and metadata identified by nDPI . Provides security analysts with deeper insights for faster threat hunting and forensic analysis without needing full packet captures .
🛠️ How to Integrate nDPI with Suricata

nDPI is integrated as a plugin that is not built into Suricata by default. You need to explicitly enable it during compilation. The process, as outlined in the official Suricata documentation, involves two main steps :

Build Suricata with nDPI Support: When configuring your Suricata build from source, you must use the --enable-ndpi flag and point to your nDPI source code.
bash

./configure --enable-ndpi --with-ndpi=/path/to/your/nDPI/source

Load the Plugin: After installation, you need to ensure Suricata loads the nDPI plugin by adding its path to the suricata.yaml configuration file.
yaml

plugins:
- /usr/lib/suricata/ndpi.so

By building Suricata with the standalone nDPI library, you are essentially giving it a "second opinion" on network traffic. nDPI handles the heavy lifting of identifying countless applications and their potential risks, which then feeds directly into Suricata's core engine for alerting and logging. This makes your network defense far more robust and intelligent.

Would you like to see more detailed examples of Suricata rules that use the ndpi-protocol and ndpi-risk keywords?

Эволюция сбора flow-статистики в Яндексе: архитектура, грабли и оптимизации

Привет, Хабр! На связи Саша Лопинцев, SRE в группе разработки сетевой инфраструктуры и мониторинга Yandex Infrastructure. Я очень люблю мониторинг — а когда дело касается видимости сетевого трафика, нам не обойтись без анализа flow‑данных. Сегодня расскажу, как и почему мы переехали с устаревшего flow‑коллектора на GoFlow2, реализовали запись в БД и через etcd решили проблемы с шаблонами. Новая система обрабатывает 85 тысяч пакетов статистики в секунду, обеспечивает отказоустойчивость и помогает создавать отчёты. Если вам интересно узнать чуть больше об архитектуре, экспериментах, ошибках и решениях, полезных для инфраструктурного мониторинга в продакшн‑среде, читайте далее.

https://habr.com/ru/companies/yandex/articles/1000520/

#flowметрики #goflow #goflow2 #etcd #ipfix #sflow #netflow

UNC3886 leveraged ORB infrastructure for stealthy telecom targeting.

Per Cyber Security Agency of Singapore:
• Zero-day firewall compromise
• Rootkit persistence mechanisms
• GOBRAT & TINYSHELL C2 nodes
• ORB-tagged IP clustering in Singapore ASNs
• NetFlow-confirmed router-to-ORB communications
• Pre-positioned reconnaissance

Attribution aligned with assessments from Mandiant linking activity to China-sponsored espionage.

ORB networks blur the line between botnets and residential proxy ecosystems, increasing attribution friction and collateral risk.

Defensive priorities:
• Threat intel enrichment
• Edge device patch enforcement
• ASN anomaly detection
• Zero-trust segmentation
• IoT telemetry visibility

How mature are ORB detection capabilities in your SOC?

Engage below.

Source: https://cyberpress.org/orb-networks-masks-attacks/

Follow @technadu for advanced threat analysis.

#ThreatIntel #UNC3886 #ORBNetworks #IoTSecurity #ZeroDay #C2Infrastructure #NetFlow #TelecomSecurity #BlueTeam #ThreatHunting #APTActivity #CyberOperations #Infosec

OH: „I mean that it’s generally bad idea to enable Netflix on switch“

#BGP #Netflow #sflow #InternetLarry

Hopefully soon I'll publish a new project to create #netflow infrastructure in Oracle cloud with "one" click

By the moment I've completed the "single developer" use case but a "one click #kubernetes cluster" is in progress

Sehr schön: Mein #Mikrotik schreibt jetzt #Netflow zu #ntopng.
Next step: die Daten weiter zu #Grafana schieben.

#Hashtaggalore

Обзор NetFlow-коллектора с визуализацией Akvorado: от развертывания до практического использования

Akvorado — не просто инструмент для привлечения трафика, а современное и масштабируемое решение, которое преобразует сырые данные (NetFlow, sFlow) в понятную и наглядную информацию. В этой статье мы расскажем о каждом этапе работы с Akvorado: от архитектуры до нюансов развертывания, опираясь на наш опыт.

https://habr.com/ru/companies/hostkey/articles/944550/

#hostkey #netflow #sflow #ipfix #akvorado #clickhouse #kafka #docker #сетевой_мониторинг