Suricata high number of bytes out detected

This rule is part of a beta feature. To learn more, contact Support.
suricata

Set up the suricata integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect scenarios where an unusually high number of bytes are being sent out from a server, which could indicate data exfiltration or other malicious activities.

Strategy

Monitor Suricata logs where the outgoing data from a server seems unusual. This could be indicative of data exfiltration attempts, malware communication, or other suspicious activities that require immediate investigation.

Triage and response

  1. Identify if the server typically handles high volumes of outbound traffic.
  2. Verify whether the Client IP {{@network.client.ip}} is internal or external.
    • For internal IPs, identify the corresponding host and collaborate with the owner to investigate the unusual data transfer from the server.
    • For external IPs, assess the IP address reputation.
  3. Review Client’s IP {{@network.client.ip}}, port {{@network.client.port}}, and protocol {{@suricata.proto}} to identify unexpected destinations or sensitive data transfers.
  4. If malicious activity is confirmed, block Client IP {{@network.client.ip}}, isolate the server, and capture traffic for analysis.
  5. Inform IT security teams and management about the incident and actions taken.