hi Community
just curious we have an alert of one of our security appliances on a bloodhound scanner on one of our internal client nodes
i am looking after security onion ETOpen and it did not provide an alert for bloodhound
can please advise does bloodhound have a updated rule signature already released or is there a timeframe for the bloodhound and purpleknight signatures
Thanks
Ben
Hey Ben! Thanks for reaching out!
Generally speaking this traffic is a bit difficult to distinguish from legitimate traffic as the tool uses native Windows/AD functions for it’s purposes.
That said, it’s been awhile since we’ve look at Bloodhound specifically.
Would you be able to share a pcap of the traffic generated (even privately)? I’d be happy to look at it with some fresh eyes and see if there is something we can use to create high fidelity signatures.
Apologise Bmurphy
we were just alerted by a security appliance and we did not capture the pcap traffic of the alert…
we were more focus on why Security Onion did not pick it up…i assumed i had a misconfiguration since bloodhound has been online since Def Con 2016 or before…
is wireshark sufficient to capture this data which you need to create this high fidelity signature…or do you suggest a better sniffer …i.e snort…
but i would have to know the route and pathway that the traffic from bloodhound and target device traverse through to capture it
ok will see how i can capture this data
Wireshark would be perfect! Actually better than snort, as snort isn’t really designed as a packet capturing solution.
Was the use of bloodhound within the environment expected? If so, perhaps it could be run in a controlled manner with wireshark running on the same system that bloodhound is running on?