🚀Introducing SO-CRATES 1.0 — Security Onion Containerized Rapid Analysis of Threats, Evil, and Sus!

SO-CRATES is a single container image for analyzing pcap files, log files, and binary files. It was formerly known as OhMyPCAP.

Here's what you can do with SO-CRATES:
✅analyze pcap files and then review Suricata alerts, metadata, and extracted files
✅import log files and then review Sigma alerts and the original log entries
✅import binary files and then review YARA matches and file metadata

All of this runs in a single Docker/Podman container — perfect for air-gapped environments, malware analysis, incident response, threat hunting, forensics & teaching.

Who’s trying it out? Drop a ❤️ and reply with your main use case!

#DFIR #Cybersecurity #BlueTeam #ThreatHunting #Suricata #YARA #Sigma

@securityonion
@chrissanders88

----------------

🛠️ Tool: Pcap2Timeline - Fast PCAP triage into analyst-friendly CSV output
===================

Pcap2Timeline is a lightweight shell script (pcap2csv.sh) that wraps Suricata to transform raw PCAP files into structured CSV datasets. It leverages Suricata's eve.json output and converts it into multiple CSV files, one per event type, plus a chronologically merged timeline.

🔹 Key Features

The script extracts the following event categories from PCAP files:
• Alerts - Suricata rule match notifications
• DNS - Queries and responses
• HTTP - Request and response metadata
• TLS - SNI, certificate information
• FTP - Commands and file transfers
• SMB - Windows file sharing activity
• SSH - Secure shell sessions
• RDP - Remote desktop connections
• Flows - Connection statistics and metadata

Each event type gets its own CSV, and a combined capture_timeline.csv merges all events in chronological order. Custom Suricata rules can be applied via the -R flag, enabling targeted detection during triage instead of relying only on default rule sets.

🔹 Technical Implementation

The script is written in POSIX sh with no bashisms, meaning it runs on minimal Unix environments without requiring bash. Dependencies are intentionally sparse: suricata for packet processing and jq for JSON parsing. Standard POSIX utilities handle the rest.

Given an input capture.pcap, the script creates a pcap2csv_output/ directory containing separate CSVs for alerts, DNS, HTTP, TLS, FTP, flows, and the merged timeline.

This integrates cleanly with Eric Zimmerman's Timeline Explorer for interactive filtering and pivoting through the results.

🔹 Setup

sudo apt install suricata jq
sudo suricata-update
git clone https://github.com/mf1d3l/Pcap2Timeline.git
chmod +x pcap2csv.sh

Usage: ./pcap2csv.sh <input.pcap> [-R <rules-file.rules>]

🔹 Considerations

The tool fills a specific niche: rapid initial triage, not deep analysis. It does not correlate events across categories or generate findings automatically. Analysts still need to interpret the data, but having it pre-organized by event type with a unified timeline significantly reduces orientation time within a new PCAP. The extraction is bounded by what Suricata can detect, so protocols not covered by the loaded rule set will not appear in output.

🔹 tool #PCAP #Suricata #DFIR #networkforensics

🔗 Source: https://github.com/mf1d3l/Pcap2Timeline

At the Boston Official Cybersecurity Summit, Dr. Kelley Misata closed with “Trusted by Default: The Open Source Risk Hiding in Plain Sight.”

Her session brought OISF’s open source security perspective into the room and connected it to our work supporting #Suricata.

Thank you to all who joined!

Suricata often enters the workflow before it enters the conversation through SOC distributions, training labs, alert pipelines, vendor products, or rules firing in another interface.

To better understand what Suricata is doing under the hood, start here: https://suricata.io/learn/learning-library/
#Suricata #LearningLibrary

Пещера Алладина для безопасника: 754 навыка для AI-агента и что будет, если использовать их для своего NGFW

Разбираемся с открытой библиотекой Agent Skills для кибербезопасности на 754 навыка, показываем, как она устроена, и проводим живой эксперимент: даём агенту Hermes два навыка и просим разобрать реальный IPS-лог и провести аудит правил файрвола – сначала на бесплатной модели Owl Alpha (из-за того что подобную модель при желании можно использовать локально), затем на платной Opus 4.8 (Cloude Security). Сравниваем, где проходит граница между «бесплатно» и «дорого, но качественно». Откуда взялась «пещера» В одну ночь у нас на столе оказались четыре вещи: открытый репозиторий с 754 (!) навыками по ИБ для AI-агентов, автономный агент Hermes от Nous Research, LLM-модели Owl Alpha и Opus 4.8, а также открытое API Ideco NGFW в markdown-формате и соответствующий тестовый сервер. Собрали всё вместе и проверили на что способен AI-native администратор NGFW. Ощущение от первого захода в репозиторий было ровно как у Аладдина в пещере: вокруг сундуки с готовыми playbook'ами, на каждый второй случай из жизни безопасника. Volatility3 для дампов памяти, Zeek для разбора PCAP, Sigma-правила под Kerberoasting, разбор Cobalt Strike beacon, форензика облаков на трёх провайдерах. И ключ ко всему этому богатству – почти любая LLM, которая умеет в tool calling. Проведем эксперимент: два конкретных навыка из сетевой безопасности, один агент, реальные данные. И в конце – где здесь грабли, на которые легко наступить. Что такое Agent Skills и почему это не просто очередные промпты Agent Skills – это открытый формат для расширения возможностей AI-агента специализированными знаниями и рабочими процессами. Вместо того чтобы каждый раз промтом объяснять модели, «как senior-аналитик расследует утечку через DNS-туннель », вы один раз описываете этот workflow в структурированном виде – и подкладываете агенту.

https://habr.com/ru/companies/ideco/articles/1043130/

#llm #llmагент #hermes_agent #IPS #firewall #межсетевой_экран #ideco_ngfw #ideco #Suricata #информационная_безопасность

Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the zeek container causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.05.2...v26.06.0

• 🛡️ Security Remediation & Hardening (#996)
  • Unauthenticated reflected XSS / open redirect in /dashboards/app/refred; also added Content-Security-Policy framing headers (frame-ancestors, base-uri, form-action) and X-Frame-Options: SAMEORIGIN globally to mitigate clickjacking (#997)
  • Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
  • Password stored as MD5-crypt for SFTP (#1009)
  • Authenticated archive zip-slip file write in filebeat container (#999)
  • OpenSearch path injection via /mapi/fields?template (#1000)
  • submit.php Location: open redirect via Referer (#1007)
  • htadmin proxied with no nginx auth gate (#1003)
  • Keycloak OIDC ssl_verify always set to false (#1006)
  • NetBox SUPERUSER_PASSWORD=admin shipped default (#1011)
  • RBAC defaultdict(lambda: True) fail-open for unlisted handlers in Malcolm API (#1004)
  • Read-only Arkime deny-regex omits addtags/removetags (#1008)
  • Read-only deployment allows POST /mapi/event (#1002)
  • WISE auth path selectable by client User-Agent (#1001)
  • ARKIME_PASSWORD_SECRET=Malcolm shipped default (#1005)
  • requests CVE bump reverted in logstash image (#1010)
  • Fix API auth errors and hide NGINX version disclosure (#989)
• 🐛 Bug fixes
  • auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
  • Ensure list of archive file types supported by Malcolm for uploading Zeek logs (application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform.
  • zeek container continually grows /usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
• ✅ Component version updates
  • Filebeat to v9.4.2
  • Fluent Bit to v5.0.6
  • Logstash to v9.4.2
  • Supercronic to v0.2.46
  • uv to v0.11.15
• 🧹 Code and project maintenance
  • Fixed some incorrect links in documentation (#988, thanks @jsoref)
  • Refactored NGINX error pages configuration into its own include file and added a 401.html page
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added KEYCLOAK_SSL_VERIFY (default false) to keycloak.env for #1006
  • The Arkime password hash secret ARKIME_PASSWORD_SECRET in arkime-secret.env no longer has a default value: it must be set during auth_setup (for #1005)
  • The Netbox superuser password SUPERUSER_PASSWORD in netbox-secret.env no longer has a default value: it must be set during auth_setup (for #1011)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

We've recently merged 2 new rulesets into the Suricata Intel Index! The IPFire DBL (https://www.ipfire.org/dbl) and the Antiphishing ruleset (https://github.com/julioliraup/Antiphishing) by julioliraup. Thanks!!

#suricata

How do you actually use AI with Suricata in practice?

In this webinar, Peter Manev walks through analyzing network metadata and alert payloads with AI as part of the workflow, using XLoader as the example.

Replay: https://www.youtube.com/watch?v=tuR2SRhMqQQ

#Suricata #OpenSource #Webinar