HEPiX Fall 2024 Workshop

Session

SOC Hackathon

6 Nov 2024, 13:30

Conveners

SOC Hackathon: Technical Details and Working Session 1

• Shawn Mc Kee (University of Michigan (US))
• David Crooks (UKRI STFC)

SOC Hackathon: Technical Details and Working Session 2

• David Crooks (UKRI STFC)
• Shawn Mc Kee (University of Michigan (US))

56. Topic 1: Issues capturing ALL traffic with Zeek?

Aashish Sharma (LBNL), Dr David Crooks (UKRI STFC), David Jordan (University of Chicago (US)), Shawn Mc Kee (University of Michigan (US))

06/11/2024, 13:30

We have some sites that have question/potential issues concerning the traffic measurements from Zeek vs SNMP.
- Should be expect that the Zeek traffic estimate should be close to the SNMP counters from the corresponding switch ports?
- Is some kind of NIC/hardware offloading hiding traffic from Zeek?
- Do we have best practice recommendations regarding configurations?
- What should sites...

57. Topic 2: Building a good Zeek alert

Aashish Sharma (LBNL), Dr David Crooks (UKRI STFC), Romain Wartel (CERN)

06/11/2024, 14:00

What does it take to craft a good Zeek alert? Can we work through an example or two? What is the suggested guidance for doing this?

59. Topic 3: How to deploy pDNSSOC (part 1)

Romain Wartel (CERN)

06/11/2024, 14:30

How to deploy pDNSSOC
Example deployment
Working session

58. Topic 1: Configuring sending alerts for various tools

Dr David Crooks (UKRI STFC), Liam Atherton, Romain Wartel (CERN)

06/11/2024, 15:30

How to enable alerts using webhooks and various applications.
Sending to SLACK
Sending to Mattermost
What about Keybase?

Why not email?

60. Tool options and choices

Dr David Crooks (UKRI STFC), Stefan Lueders (CERN)

06/11/2024, 16:00

Zeek, MISP, pDNSSOC, Elasticsearch, Opensearch, Elastiflow, ElastiAlert, other information sources, other tools?

Advantages, capabilities, limitations, concerns....

Let's discuss