Suricata on pfSense

Detecting the attacks (like bit torrent) that aren’t in your flow logs

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Network Security | pfSense | UDM Pro

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I was just reading this post on how ransomware attackers are now using torrents to disguise their traffic. That got me curious.

Clop ransomware now uses torrents to leak data and evade takedowns

How can you identify torrents and why is it proving to be more successful? In a nutshell, torrents are a a peer to peer (P2) network protocol where two systems connect directly to each other via a distributed network instead of going through the path taken via traditional network devices (rough explanation). You can’t just block a single IP that is transferring all the data. It’s also hard to identify because the details are in the payload. If you’re just looking at flow logs you probably won’t be able to easily spot it.