Detecting Kali machine on network using Suricata

Hello r/cybersecurity,

I am currently getting into writing my own Suricata rules and I am trying to detect the presence of a Kali Linux machine on a network. I already have an effective way to detect a machine doing updates via \`apt update\` and \`apt upgrade\` via the IP address associated with the DEB repositories for Kali. This works quite well and as a SOC analyst I've detected a pentester with this more than once. However, I would like to …

address analyst apt cybersecurity detect doing hello ip address kali kali linux linux machine network own pentester repositories rules soc soc analyst suricata update updates upgrade writing