Hacker News new | past | comments | ask | show | jobs | submit login

I'm a little confused as to running the Suricata, Zeek and the Elasticsearch stack on Kali. I think of these tools run on a server, rather than a desktop. And it seems like SecurityOnion scratches this niche.

I do like the idea of Kali Purple though - curious to check it out.




These tools (-elasticsearch) run on a server that's usually connected to a network tap that collects traffic from endpoints and servers alike.

Running them locally, a tap, and a server are unnecessary.


Yeah, very unusual. Purpleteam is usually over some prod or prod-like environment.

I think they want you to put this in your purpleteam lab not as your actual defensive stack.

Might work for some folks but imo, the logging/detection/alerting part should alway be your actual prod stack but you can simulate attacks in a lab environment. What I have seen in the industry at large is a lot of purpleteam excercises are done in production, a red team excercise blended with a blue team investigation and response.


From what I can tell they call it a soc in a box. They have a wiki on how you are supposed to build it (on proxmox). Here is a link to their architecture diagram for it. https://gitlab.com/kalilinux/kali-purple/documentation/-/raw... It is intended mostly for training purposes. I think it looks pretty neat for a start. We'll see where the community takes it over the next couple of years.


If you have local logs and you’re not in an enterprise environment it makes sense to analyse the logs locally.


IMO this is lowering the barrier of entry to newbies. I work in this space and often users coming out of boot camps that want to set up their own labs for learning have a steep learning curve. Such is the difficulty with entering cybersecurity without an IT background, for better or worse.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: