Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
Malcolm
Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
-
Wazuh
Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://gitlab.com/kalilinux/kali-purple/documentation/-/raw...
Probably of less broad appeal but another option to add to the mix for anyone who happens to be running Gentoo is the Pentoo overlay https://github.com/pentoo/pentoo-overlay
The Github repo is also a nice browseable categorised directory tree of security tooling
The heavy lifting of this is CISA's Malcom [1]. Unfortunately the blog posts only provides a non-linked bullet to it [2]. Seth Grover, the main driver behind Malcom, put a lot of effort over the years into creating a turnkey soc-in-a-box distro that works especially well for an network-first approach. Endpoint isn't neglected, but the focus on Zeek, Suricata, Arkime shows the primary visibility drivers. This is not surprising, because CISA also developed a bunch of custom ICS protocol dissectors that provide visibility (DNP3, Modbus, etc.). The list is impressive [3]. All of this is turnkey available by running Malcom. Especially for OT, where we have a lot more unmanaged black boxes and networks that you don't wanna actively scan (factories have been brought down this way), passively watching is a safe and powerful approach.
It's a bit unfortunate that Kali didn't give the props to Seth's project (not even an outbound link). Perhaps this was just an oversight, or a spotlight blog post is coming later, but I hope that the history of this gets properly acknowledged, because it's darn clear where this comes from.
[1]: https://github.com/cisagov/Malcolm
[2]: https://www.kali.org/blog/kali-linux-2023-1-release/
[3]: https://cisagov.github.io/Malcolm/docs/protocols.html
I wish there was also wazuh [1] included. That's where open source EDR is currently at.
[1] https://wazuh.com/