Presented at SuriCon 2018 by Robert Haist & Sascha Steinbiss, DCSO
For just about two years, we at DCSO have refined our use of Suricata to form the basis of our network detection capabilities. In our talk, we share our experiences building a multi-customer NSM stack using Debian, Suricata and commodity server hardware, paying special attention to performance, ease of deployment, sensor management and monitoring. Moreover we present and discuss various metadata-based use cases beyond classic IDS/IPS alerting and their benefits for defense in depth. Finally, we introduce new software tools developed in-house (to be released under free licenses before SuriCon) and demonstrate their use to accelerate both service integration and the implementation of new downstream capabilities.