Replies: 1 comment
-
Seems like you could configure your SIEM to forward those alerts to Security Onion or configure Vindicate to send to Security Onion directly. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi, I was wondering if support for some sort of LLMNR, NBNS, and mDNS spoofing detection could be added into the Honeypot module or Security Onion nodes? We have seen attackers and penetration teams utilize this type of attack over and over again, if they're able to place a device on our network. This would be a huge help to be able to immediately be alerted if we're under attack. We're currently utilizing a solution called Vindicate https://github.com/Rushyo/VindicateTool which forwards Windows events to our SIEM. However, this would be an awesome addition to Security Onion to have all the alerts in one place. Thank you!
"Vindicate is a tool which detects name service spoofing, often used by IT network attackers to steal credentials (e.g. Windows Active Directory passwords) from users. It's designed to detect the use of hacking tools such as Responder, Inveigh, NBNSpoof, and Metasploit's LLMNR, NBNS, and mDNS spoofers, whilst avoiding false positives. This can allow a Blue Team to quickly detect and isolate attackers on their network."
Beta Was this translation helpful? Give feedback.
All reactions