Hello all. Pretty new on my netsec journey. I’ve just finished Security+ and have spent the last week testing a production version of Security onion. Today I noticed an insane amount of traffic from an unknown public IP. We were getting hundreds of SIP requests and sending back hundreds of “403 error” replies.
As I said I’m pretty new to cybersec and so my wireshark reading skills aren’t great, but I did notice all of the packet captures I looked through were pretty much the same.
Hypothetically – Could I just take something such as the userid we were getting from the packet capture or some other information that identifies these requests, hash them, and add a signature rule in a Firewall rejecting the packets matching that hash?
Would this be a stupid idea? I know I could just add a ‘block all’ on that specific IP address but If I notice the “attacker” has a specific marker like the hostname we get is “attacker PC-1” and I want to block all IPs with that hostid. From how I understand it, the HIDS/NIDS hits on the incoming packet as it contains the hash of ‘userid = attacker PC-1’. Is this way of thinking correct?
I saw someone posting about it somewhere and I want to see if I understood correctly and make sure that I have the correct thinking process from the view of a “cyber security analyst”. Thanks everyone.