Investigation scenario:
We just received three notifications with alerts from #Suricata #IDS

1) GPL SMTP vrfy root, from unknown IP to our mailserver

Shortly after that, two more alerts appeared:

2) ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response; from the same unknown IP to Windows computer in our network
3) ET MALWARE Possible Metasploit Payload Common Construct Bind_API, again from the same unknown IP to the same Windows computer

What happened?
What to do? How to analyze network traffic and investigate those alerts?

We do not have any EDR or XDR installed on that Windows computer. Right now,we have only Suricata eve.json logs ingested to the #OpenObserve #SIEM

If you would like to see more, you are welcome to attend my @suricata webinar on March 11.
Register here: https://us02web.zoom.us/webinar/register/WN_I6BNbCU2SNG2fAOEiotPiQ

Yesterday I led a half-day workshop for a group of high school students. The content was purely practical: a lot of labs and hands-on exercises and challenges about computer networks, #networktrafficanalysis and #cybersecurity.

Girls made their own Ethernet cables to connect to our lab network. Then they analyzed common network protocols and their privacy issues and how the browser settings can affect the amount of sensitive information in the network traffic.

Pro tip: together with HTTPS-Only Mode in all windows, also enable DNS over HTTPS using Increased Protection or Max Protection.
Pro tip 2: even with those hardened settings, it is often possible to see which websites the user visits, because of TLS SNI or TLS Certificates

After that, the girls had the opportunity to try CTF-like activity in the lab network full of old #MikroTik and #Ubiquiti devices and virtual machines with various services exposed.

A little bit off-topic: This was the first workshop I completely led using my old #ThinkPad with #FreeBSD

#MayTheSourceBeWithYou
#PCAPorItDidntHappen

#education #womeninstem #womenintech #SecurityGirl #AjTyvIT #wireshark #CTF #handsonlearning #learningbydoing

RE: https://infosec.exchange/@suricata/116020101997773445

Join me on Wednesday to see how to build your own home network monitoring setup under $100.
Traffic capture, IDS, lightweight SIEM and alerting included.

Seeing posts like this on #moltbook, I am thinking about recent #threats emerging from the heavy usage of #AI agents without any security guardrails or proper controls.

This time, it is "only" a command to send an innocent email. But this could be the measurement of the potential botnet size and fingerprinting of bots and their capabilities. Next time, it might be #DDoS, #malware distribution, or #dataleak if AI agents will follow the commands to do something harmful to their humans.