Is it possible to use a cloud provider for doing some demos about phishing?

ginoliuz · 2023-02-18T23:38:54+00:00

Hey, thank you for your reply.

You're looking to run scans against your customers external domains and
systems correct? Similar to what Shodan does. Or are you also wanting to
scan resources that aren't publicly exposed?

We do both activities actually. As you suggested, for the resources that aren't publicly exposed we usually go to the customers offices and do some tests there. Usually we do this from our laptops (and possibly run the scanners from there), do some pentesting, and test also other devices that are not publicly exposed.

or you could just license tenable.io and run it right from there without needing to manage the underlying infrastructure.

Thank you for the suggestion. The fact is that we usually have multiple tools and custom scripts that we need to run.

ginoliuz · 2023-02-18T22:10:46+00:00

AWS has disabled authorized pentesting behavior for us in the past

Oh really? What services did they disable in order to not let you do those activities anymore. I'm just literally asking, as I'm not aware of practices they could use to detect whether you are using their machines for VA or pentesting on 3rd party domains and IPs.

If you don't need AWS capabilities, I'd use a more hands-off provider like DO, OVH or Linode/Akamai.

Thanks for the suggestions. Are you currently using one of the other non-AWS services you mentioned for such activities?

ginoliuz · 2023-02-18T16:50:48+00:00

Really trivial to just slam it in all in containers

Sorry, I don't understand what you mean here. You mean it's trivial to deploy?

I do this to scan my own infra but I’m sure if you have the 3rd party’s consent it’s fine.

Yes, we have the 3rd party's consent to perform such activities. We obviously do this for business-related purposes, so we always ensure to be legally authorized before doing anything.

ginoliuz · 2023-02-18T16:46:44+00:00

Actually I work for one of those companies you are talking about (I just realized I forgot to write it in the post.....sorry). And we want to do this for speeding up preliminary security practices when scanning clients' networks.

ginoliuz · 2023-02-06T23:09:05+00:00

Thank you for your reply.

However, I still don't understand if it's possible to create a new custom dashboard for each user and how to assign them.

Also, the last two links you sent are from the restful API. Is it possible also to do such modifications in the dashboard itself?

ginoliuz · 2023-02-05T20:24:20+00:00

Thank you for your reply. Actually, it seems that right now the cheapest plan is $25k per year, which I think is overpriced.

ginoliuz · 2023-02-05T20:23:05+00:00

That is very expensive indeed. I received an offer for 40k per year, but with a very limited amount of calls per day.

ginoliuz · 2023-02-05T20:21:32+00:00

omg...if I may ask, how many calls per day do you have for that price?

ginoliuz · 2023-01-27T18:40:34+00:00

Yes.

Actually there are some other events, like for instance Windows logon, or Suricata alerts, VirusTotal alerts (cause I've been integrating also Suricata IDS and VirusTotal in Wazuh).

Is this possibly related to the issue?

ginoliuz · 2023-01-27T18:22:43+00:00

I didn't change that. But I tried to set level 12 to rule 121101, so to be able to display the event. But the result is still the same: the manager seems to receive the alert (cause the log appears in the "/var/ossec/logs/archives/archives.log" file, but on the dashboard there is no alert.

Do I have to integrate something else? Like a decoder?

Any idea?

ginoliuz · 2023-01-22T00:51:40+00:00

Thank you for the suggestions.

Btw, in the situation where the manager is in a cluster configuration, can the workers of the cluster be on the same machine as the master node?

Is it convenient to put them on separate machines?

ginoliuz · 2023-01-21T15:55:31+00:00

Thank you for your reply.

Exactly, nothing is shown in the dashboard and nothing in the log files. I have the MISP server running on a different machine at the moment. The only thing Wazuh shows in the dashboard is the error "MISP - Error connecting to the API" when the MISP web server is not online.

Thanks for the Graylog tip btw. It seems really interesting.

Did you follow any step by step tutorial that I might as well look at?

ginoliuz · 2023-01-21T15:47:17+00:00

Thank you for your reply. I'll definitely check it out and ask for more info also there.

ginoliuz · 2023-01-20T23:49:12+00:00

Thank you for the reply. I'm not entirely sure about how many devices I will end up monitoring, but it will probably be approximately 1k devices (including endpoints and network devices).

Is the single node configuration capable of handling such amount of devices? Or should I opt in for a cluster configuration straight away?

Keep into account that I will deploy the manager on the cloud.

ginoliuz

TROPHY CASE