search

StamusNetworks / SELKS

A Suricata based IDS/IPS/NSM distro
https://www.stamus-networks.com/open-source/#selks
GNU General Public License v3.0
1.46k stars 286 forks source link

Information needed #101

Open vbaOne opened 6 years ago

vbaOne commented 6 years ago

Hi,

Could you please precise the following points about SELKS:

Network Flow => Listening network interface(s) => Surricata => LogStash => E-Search => Kibana / Scirius / Eve

Coud you provide details, please?

Thank you!

pevma commented 6 years ago
vbaOne commented 6 years ago

Thank you for editing the flow and your reply Pevma!

However, my third question was about Suricata and its hability to receive raw logs using syslog. According to your answer about the processing flow, if I send raw log via logstash to ES, I bypass Suricata analysis. Is-that correct?

The thing is I don't want to deploy many SELK's instance to capture all the network traffic of my LAN but I want to send raw logs from many sources directly to one (and only one) SELK's instance, more precisely to Suricata. Is-it possible?

Thank you very much!

pevma commented 6 years ago

I dont think so. Suricata does not process raw logs but rather - traffic. It is a signature based IDS/IPS/NSM but if you don't want to capture/inspect all traffic you can use a BPF - there is info as to how to here

AR-LAK commented 6 years ago

Why did you choose SELKS instead of Security Onion ? both have stable versions of ELK, and security onion offers more tools then SELKS ..

vbaOne commented 6 years ago

Hi,

Thank you again about your last answers.

An other question please, more specific about Suricata and using it as an IPS (I hope this is the right place where to ask my question!).

In the documentation, it is specified two different cases: The first one is about running Suricata on a gateway.

Let's imagine, I don't want to run Suricata on a gateway but on a specific machine, just before the gateway. Following an architecture example:

LAN => Suricata => Gateway => Internet.

From my understanding, in this case, I have to:

  1. Configure switches to redirect all the traffic (from LAN) to Suricata,
  2. Run Suricata on a specific network interface to receive the traffic.

What I want next is to ask to Suricata to froward all the packets which have not matched (with signatures) to the Gateway. How can I configure this please?

Thanks!

pevma commented 6 years ago

Yes you dont need it to be a gateway exactly. For example if you run AFP IPS you can follow the guide here

Xtopher0s commented 5 years ago

I'm currently trying to do the same thing. A while ago a partner and myself completed a client project that was ELK + SecOnion and what we did to send all the data was send it straight to logstash, parsed with grok filters and used the kibana webgui we could reach from SecOnion.

The important part was actually the Pcap because suricata was holding it and we wanted it in SecurityOnion, we used Rsync over ssh with a timed scripted(i believe) to transfer the data with the proper naming convention & to the proper directory in security onion. That allowed us to be able to view the packet data in Sguil etc.

Please post any solutions you come across for SELKS in the same regard. Happy hunting. edit: of course we did this project before there was ELK in SecOnion lol

pevma commented 5 years ago

SELKS 5 has similar functionality - pcap capture/view thanks to Suricata and Moloch. You can hook it up to a remote ELK install and/or forward all logs there.

Are you after IDS or IPS set up? Thank you

-- Regards, Peter Manev

On 27 Apr 2019, at 18:02, Noctem Lupus notifications@github.com wrote:

I'm currently trying to do the same thing. A while ago a partner and myself completed a client project that was ELK + SecOnion and what we did to send all the data was send it straight to logstash, parsed with grok filters and used the kibana webgui we could reach from SecOnion.

The important part was actually the Pcap because suricata was holding it and we wanted it in SecurityOnion, we used Rsync over ssh with a timed scripted(i believe) to transfer the data with the proper naming convention & to the proper directory in security onion. That allowed us to be able to view the packet data in Sguil etc.

Please post any solutions you come across for SELKS in the same regard. Happy hunting.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

Xtopher0s commented 5 years ago

pevma, I'm interested in IDS setup however I have my SELKS behind a pfsense install. Both the Pfsense and SELKS are virtualized. This is simply just a at home project I am playing with at the moment so it is also behind my ISP modem. My preferably I would like SELKS to monitor my 192.168.2.x network or at least some devices off of it and also my 10.8.0.x network. If possible, i would also like to create an openvpn tunnel with flowing data so I could monitor a VPS as well.

Sorry if im not explaining it well :) thanks so much. SELKS seems incredible tbh. I just want to feed it the most data I can.

edit: similar to the post above i would like to have one instance of SELKS. A massive aggregate

pevma commented 5 years ago

So - if i understand correctly - you pass all traffic form the firewall through the sniffing interface of SELKS, correct ? Or that is what you are looking for - how to set it up?

TechnicalJohn commented 4 years ago

My apologies if I'm resurrecting a dead thread... but I also have a pfsense that is running Suricata. So regarding @pevma quesion, how would you set it up so that pfsense runs Suricata for IPS, and run ELK as the IDS. (If that all makes sense?) Oh, and I'm first running this on my home lab, but it's meant to be a test bed for me to eventually deploy at our corporate offices.

So - if i understand correctly - you pass all traffic form the firewall through the sniffing interface of SELKS, correct ? Or that is what you are looking for - how to set it up?