Pretty impressed with ClickHouse loading from S3. This was over a month's worth of #zeek #NSM logs, I need to do the comp again but this was almost as fast as the same for #DuckDB loading from locally into memory.

TIL about #clickhouse local and tried out with JSON #zeek data as I'd been doing with #duckdb https://gist.github.com/mdfranz/55c9d0f4a4a2f58acbc57144628ac1dc

I took the recertification exam for my SANS GIAC Certified Intrusion Analyst today. Passed with 93% which is better than I did on both practice exams.
Four more years.
Well, GSEC is up in 2025, then GCIH in 2027.
That leaves 2026 to get a new cert in. Thinking about GMLE, actually.

If I never have to manually dissect packets or do bitmasking again, it will be too soon. I actually almost understand bitmasking now. If I ever fully grasp it I think I will poof out of existence, having fulfilled my special purpose.

It was cool to play with Zeek (formerly Bro) and SiLK again. I don't get to use the command line for analysis much day-to-day.
I felt personally called out when they lamented those orgs that try to bolt cross-session, multi-application correlation and alerting onto SEIM instead of using security tools designed to do it for you.

#introductions #introduction

I'm Scott. I live in Louisville, Kentucky USA. My job is helping people deploy, manage, and use network detection and response tools. For the past 10 years I've been a part of the network security monitoring and network forensics community (design/engineering/management/support), and the 20+ years before that doing IT operations management and monitoring. I'm also a Papaw that enjoys sedentary Papaw hobbies like tabletop role-playing games, model railroads, and making the beep boops on synthesizers and sequencers.

#infosec #security #netsec
#zeek #suricata #pcap
#threathunting #blueteam #forensics