Suricata high number of bytes out detected
Set up the suricata integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect scenarios where an unusually high number of bytes are being sent out from a server, which could indicate data exfiltration or other malicious activities.
Strategy
Monitor Suricata logs where the outgoing data from a server seems unusual. This could be indicative of data exfiltration attempts, malware communication, or other suspicious activities that require immediate investigation.
Triage and response
- Identify if the server typically handles high volumes of outbound traffic.
- Verify whether the Client IP
{{@network.client.ip}}
is internal or external.- For internal IPs, identify the corresponding host and collaborate with the owner to investigate the unusual data transfer from the server.
- For external IPs, assess the IP address reputation.
- Review Client’s IP
{{@network.client.ip}}
, port {{@network.client.port}}
, and protocol {{@suricata.proto}}
to identify unexpected destinations or sensitive data transfers. - If malicious activity is confirmed, block Client IP
{{@network.client.ip}}
, isolate the server, and capture traffic for analysis. - Inform IT security teams and management about the incident and actions taken.