pevma
commented
6 years ago Hi, You mean SELKS iso, correct? If everything is flowing correctly - you may need to refresh and select a different time span on the dashboards?
Open berekese opened 6 years ago
pevma
commented
6 years ago Hi, You mean SELKS iso, correct? If everything is flowing correctly - you may need to refresh and select a different time span on the dashboards?
berekese
commented
6 years ago Yes! I can select times but i dont see any date in Dashboard (i only see info on flows) and logs of course. Thanks
pevma
commented
6 years ago If you have info in the dashboards it would mean that the log flow is working - which is good news. Did you do the initial set up as described here - https://github.com/StamusNetworks/SELKS/wiki/Initial-Setup---Suricata-IDPS ?
berekese
commented
6 years ago Hi, thanks for reply. Yes, I did it and I setup ens3
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:e0:9b:33 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.XX/24 brd 192.168.100.255 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fee0:XX/64 scope link
valid_lft forever preferred_lft foreverroot@SELKS:/home/selks-user# /opt/selks/Scripts/Setup/setup-selks-ids-interface.sh
Please supply a network interface to set up SELKS Suricata IDS inspection on
INTERFACE:
ens3
The supplied network interface is: ens3
DONEBut I haven't log on fast.log (yes on eve.log and stats.log)
I see graphics on flow but not in main dashboard. How could I debug it? http://i66.tinypic.com/jg45e1.png http://i65.tinypic.com/359y7ex.png
Maybe need I setup any config on suricata.yaml? interface? I see eth2 inside but my interface is ens3.
Thanks.
pevma
commented
6 years ago It seems the logs are working as expected. The fact that you dont see alerts does not mean it is not working actually :) - but you are right -- it needs to be confirmed!
Do you have mirrored traffic on ens3 ? If not and if ens3 is your routing interface you can easily test with a few of these on the command line:
wget http://testmyids.com/
berekese
commented
6 years ago Hi, I have logs on fast.log (few but I start to see some logs), before I had installed Suricata 4.0.3 (from source) and I remember a fast.log with a lot of logs, for that reason I was waiting more logs, maybe rules aren't same or maybe my net is being less attacked :) Any way, I see some traffic, I will let more time to check traffic.
I have a router Mikrotik and I sniffer all traffic to my Scirius Server. Eve.json has a lot of entries constantly and if I do "trafr with tcpdump"
A thing, how could I see IPs in a world map? Is it possible?
Attach picture actual and logs: http://i65.tinypic.com/2zi7os0.png
Log stats.log
------------------------------------------------------------------------------------
Date: 2/7/2018 -- 10:48:57 (uptime: 0d, 00h 01m 11s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
capture.kernel_packets | Total | 971249
decoder.pkts | Total | 971231
decoder.bytes | Total | 369453355
decoder.ipv4 | Total | 1012141
decoder.ipv6 | Total | 72
decoder.ethernet | Total | 971231
decoder.tcp | Total | 811
decoder.udp | Total | 929215
decoder.icmpv4 | Total | 68
decoder.icmpv6 | Total | 37
decoder.avg_pkt_size | Total | 380
decoder.max_pkt_size | Total | 1514
flow.tcp | Total | 6
flow.udp | Total | 70
flow.icmpv6 | Total | 5
defrag.ipv4.fragments | Total | 82062
defrag.ipv4.reassembled | Total | 41031
app_layer.flow.failed_udp | Total | 70
flow_mgr.new_pruned | Total | 26
flow.spare | Total | 10000
flow_mgr.flows_checked | Total | 8
flow_mgr.flows_notimeout | Total | 8
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_skipped | Total | 65528
flow_mgr.rows_maxlen | Total | 1
tcp.memuse | Total | 573440
tcp.reassembly_memuse | Total | 81920
flow.memuse | Total | 7091008Some lines fast.log
02/07/2018-10:06:38.122846 [**] [1:2009099:3] ET P2P ThunderNetwork UDP Traffic [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.XX.XX:57919 -> 224.0.0.252:5355
02/07/2018-10:35:50.847030 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.XX.XX:60251 -> 192.168.XX.XX:37008Log suricata.log
[2402] 7/2/2018 -- 10:52:04 - (suricata.c:2769) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.
[2402] 7/2/2018 -- 10:52:04 - (suricata.c:1133) <Info> (SCPrintElapsedTime) -- time elapsed 258.143s
[2402] 7/2/2018 -- 10:52:05 - (counters.c:821) <Info> (StatsLogSummary) -- Alerts: 0
[2402] 7/2/2018 -- 10:52:05 - (detect.c:3356) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
[2402] 7/2/2018 -- 10:52:05 - (util-device.c:283) <Notice> (LiveDeviceListClean) -- Stats for 'ens3': pkts: 3454809, drop: 0 (0.00%), invalid chksum: 0
[2664] 7/2/2018 -- 10:52:06 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev b8428378)
[2664] 7/2/2018 -- 10:52:06 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 1
[2664] 7/2/2018 -- 10:52:06 - (util-ioctl.c:107) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'ens3'
[2664] 7/2/2018 -- 10:52:06 - (util-ioctl.c:107) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'ens3'
[2673] 7/2/2018 -- 10:52:06 - (util-conf.c:109) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[2673] 7/2/2018 -- 10:52:14 - (detect.c:524) <Info> (SigLoadSignatures) -- 1 rule files processed. 22075 rules successfully loaded, 0 rules failed
[2673] 7/2/2018 -- 10:52:14 - (util-threshold-config.c:1184) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[2673] 7/2/2018 -- 10:52:14 - (detect.c:3052) <Info> (SigAddressPrepareStage1) -- 22080 signatures processed. 1179 are IP-only rules, 6477 are inspecting packet payload, 16624 inspect application layer, 0 are decoder event only
[2673] 7/2/2018 -- 10:52:23 - (util-privs.c:93) <Info> (SCDropMainThreadCaps) -- dropped the caps for main thread
[2673] 7/2/2018 -- 10:52:23 - (util-logopenfile.c:535) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[2673] 7/2/2018 -- 10:52:23 - (util-logopenfile.c:535) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[2673] 7/2/2018 -- 10:52:23 - (output-json-email-common.c:455) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email body
[2673] 7/2/2018 -- 10:52:23 - (output-json-email-common.c:459) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email subject
[2673] 7/2/2018 -- 10:52:23 - (output-json-dnp3.c:384) <Info> (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized.
[2673] 7/2/2018 -- 10:52:23 - (output-tx.c:76) <Notice> (OutputRegisterTxLogger) -- JsonDNP3Log logger not enabled: protocol dnp3 is disabled
[2673] 7/2/2018 -- 10:52:23 - (output-json-dnp3.c:384) <Info> (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized.
[2673] 7/2/2018 -- 10:52:23 - (output-tx.c:76) <Notice> (OutputRegisterTxLogger) -- JsonDNP3Log logger not enabled: protocol dnp3 is disabled
[2673] 7/2/2018 -- 10:52:23 - (util-logopenfile.c:535) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[2673] 7/2/2018 -- 10:52:23 - (util-runmodes.c:288) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s)
[2673] 7/2/2018 -- 10:52:23 - (util-conf.c:109) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[2673] 7/2/2018 -- 10:52:23 - (unix-manager.c:124) <Info> (UnixNew) -- Using unix socket file '/var/run/suricata/suricata-command.socket'
[2673] 7/2/2018 -- 10:52:23 - (tm-threads.c:2178) <Notice> (TmThreadWaitOnThreadInit) -- all 1 packet processing threads, 4 management threads initialized, engine started.
[2684] 7/2/2018 -- 10:52:23 - (source-af-packet.c:476) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.Finally I setup correctly SELKS. I see traffic and "attacks", few for now but I will wait. Regarding world map, aren't there, right?
Thanks you for all.
pevma
commented
6 years ago World map results should be there as soon as you have alerts with public IPs. Is that the case?
berekese
commented
6 years ago Hi, I have alerts inside on main dashboard, check this: http://i68.tinypic.com/ofzrz4.png Now I would like to know if there are way to see IPs on a world map, and if its yes, where?
Thanks!
pevma
commented
6 years ago In Scirius - can you try upper left corner(Stamus Icon) - drop down menu - choose a dashboard?
berekese
commented
6 years ago Oh yes, I see all Dashboards :) I didn't know it.
A last thing, I before had installed Suricata only (no ELKS) and my fast.log had a lot of alerts constantly but now, with SELKS I haven't alerts (only test with curl testmyids), am I forgotten anything? I Have a lot ofs flows. Note: I have Mikrotik with packet sniffer pointing to SELKS server (in old Suricata had it same and I receive a lot of alerts, here a example):
02/08/2018-06:43:42.292911 [**] [1:2402000:4711] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 5.188.11.25:59724 -> 192.168.XX.XX:20571
02/08/2018-06:43:42.292911 [**] [1:2403303:38244] ET CINS Active Threat Intelligence Poor Reputation IP group 4 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 5.188.11.25:59724 -> 192.168.XX.XX:20571
02/08/2018-06:44:23.970589 [**] [1:2013031:5] ET POLICY Python-urllib/ Suspicious User Agent [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.XX.XX:47926 -> 91.189.95.15:80
02/08/2018-06:45:49.859154 [**] [1:2013031:5] ET POLICY Python-urllib/ Suspicious User Agent [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.XX.XX:53444 -> 91.189.95.15:80
02/08/2018-06:49:51.872531 [**] [1:2402000:4711] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {UDP} 185.107.83.58:28712 -> 192.168.XX.XX:5069
02/08/2018-06:50:34.041745 [**] [1:2403352:38244] ET CINS Active Threat Intelligence Poor Reputation IP group 53 [**] [Classification: Misc Attack] [Priority: 2] {UDP} 66.240.219.146:32523 -> 192.168.XX.XX:3283
02/08/2018-06:51:36.387838 [**] [1:2013031:5] ET POLICY Python-urllib/ Suspicious User Agent [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.XX.XX:58936 -> 91.189.95.15:80
02/08/2018-06:52:59.822946 [**] [1:2013031:5] ET POLICY Python-urllib/ Suspicious User Agent [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.XX.XX:37116 -> 91.189.95.15:80
02/08/2018-06:53:42.859410 [**] [1:2013031:5] ET POLICY Python-urllib/ Suspicious User Agent [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.XX.XX:37166 -> 91.189.95.15:80
02/08/2018-06:54:48.551166 [**] [1:2013031:5] ET POLICY Python-urllib/ Suspicious User Agent [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.XX.XX:37170 -> 91.189.95.15:80
I start daemon in suricata (old) doing this: trafr -s | suricata -c /etc/suricata/suricata.yaml -r - Maybe should I start suricata on Selks using same mode? Any change on conf?
I tried to start suricata using same line but I get this:
root@SELKS:/home/selks-user# trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
[8161] 8/2/2018 -- 07:04:20 - (conf-yaml-loader.c:241) <Info> (ConfYamlParse) -- Including configuration file /etc/suricata/selks4-addin.yaml.
[8161] 8/2/2018 -- 07:04:20 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'default-rule-path' redefined.
[8161] 8/2/2018 -- 07:04:20 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'rule-files' redefined.
[8161] 8/2/2018 -- 07:04:20 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'classification-file' redefined.
[8161] 8/2/2018 -- 07:04:20 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'reference-config-file' redefined.
[8161] 8/2/2018 -- 07:04:20 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'detect' redefined.
[8161] 8/2/2018 -- 07:04:20 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'default-log-dir' redefined.
[8161] 8/2/2018 -- 07:04:20 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'stats' redefined.
[8161] 8/2/2018 -- 07:04:20 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'outputs' redefined.
[8161] 8/2/2018 -- 07:04:20 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'logging' redefined.
[8161] 8/2/2018 -- 07:04:20 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'af-packet' redefined.
[8161] 8/2/2018 -- 07:04:20 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev b8428378)
[8161] 8/2/2018 -- 07:04:38 - (output-tx.c:76) <Notice> (OutputRegisterTxLogger) -- JsonDNP3Log logger not enabled: protocol dnp3 is disabled
[8161] 8/2/2018 -- 07:04:38 - (output-tx.c:76) <Notice> (OutputRegisterTxLogger) -- JsonDNP3Log logger not enabled: protocol dnp3 is disabled
[8161] 8/2/2018 -- 07:04:38 - (runmodes.c:366) <Error> (RunModeDispatch) -- [ERRCODE: SC_ERR_RUNMODE(187)] - The custom type "workers" doesn't exist for this runmode type "PCAP_FILE". Please use --list-runmodes to see available custom types for this runmodeHowever in old suricata I can start it correctly and I get attacks on fast.log:
root@suricatanew:/etc/init.d# trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
8/2/2018 -- 06:43:22 - <Notice> - This is Suricata version 4.0.3 RELEASE
8/2/2018 -- 06:43:27 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
8/2/2018 -- 07:00:37 - <Notice> - Signal Received. Stopping engine.
8/2/2018 -- 07:00:37 - <Notice> - Pcap-file module read 9009485 packets, 2538112521 bytesHow could I start daemon with same values? It is possible? Modifying any value on selks4-addin.yaml or default script to works on another mode?
Thanks!
pevma
commented
6 years ago SELKS uses Suricata and its better features available - the eve.json log file being one of those. Suricata's configuration does not have the legacy fast.log enabled as the json format is easier, more verbose and works by default with the ELK stack.
berekese
commented
6 years ago Hi, thanks. I understand that, but in that case, how SELKS get alerts? In main dashboard in section "Alerts activity" I have it empty. I understand that fast.log is where alerts are kept to write alerts on dashboard, right? But I have it empty and maybe if I could run suricata with same values that my old suricata (-r -) I will have logs on eve.json because in config I have it enabled and in fast.log.
Thanks.
pevma
commented
6 years ago Actually - all logs generated by Suricata are in /var/log/suricata/eve.json. You have different types and the alerts are "event_type": "alert".
From there they get transfered by logstash to elasticsearch and the Scirius/Kibana/EveBox query elastic search to display the results.
So if you do not have any alerts in eve.json there will be no alerts to display respectively.
berekese
commented
6 years ago Yes, I understand. I had eve.json but not in fast.log and for that reason in main dashboard (Alert Activity) I didn't any info. I have solved my problem with Suricata logs, I dont know if my case is different because I use "packet sniffer" from Mikrotik to SELKS server or dunno.
Finally I commented line "runmode: workers" on selks4-addin.yaml" and I started daemon using this line: root@SELKS:/etc/suricata# trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -v --user=logstash -r -
Getting this log:
[2579] 8/2/2018 -- 11:00:44 - (conf-yaml-loader.c:241) <Info> (ConfYamlParse) -- Including configuration file /etc/suricata/selks4-addin.yaml.
[2579] 8/2/2018 -- 11:00:44 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'default-rule-path' redefined.
[2579] 8/2/2018 -- 11:00:44 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'rule-files' redefined.
[2579] 8/2/2018 -- 11:00:44 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'classification-file' redefined.
[2579] 8/2/2018 -- 11:00:44 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'reference-config-file' redefined.
[2579] 8/2/2018 -- 11:00:44 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'detect' redefined.
[2579] 8/2/2018 -- 11:00:44 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'default-log-dir' redefined.
[2579] 8/2/2018 -- 11:00:44 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'stats' redefined.
[2579] 8/2/2018 -- 11:00:44 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'outputs' redefined.
[2579] 8/2/2018 -- 11:00:44 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'logging' redefined.
[2579] 8/2/2018 -- 11:00:44 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'af-packet' redefined.
[2579] 8/2/2018 -- 11:00:44 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev b8428378)
[2579] 8/2/2018 -- 11:00:44 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 1
[2579] 8/2/2018 -- 11:00:44 - (util-conf.c:109) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[2579] 8/2/2018 -- 11:00:52 - (detect.c:524) <Info> (SigLoadSignatures) -- 1 rule files processed. 22116 rules successfully loaded, 0 rules failed
[2579] 8/2/2018 -- 11:00:52 - (util-threshold-config.c:1184) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[2579] 8/2/2018 -- 11:00:52 - (detect.c:3052) <Info> (SigAddressPrepareStage1) -- 22121 signatures processed. 1175 are IP-only rules, 6504 are inspecting packet payload, 16643 inspect application layer, 0 are decoder event only
[2579] 8/2/2018 -- 11:01:01 - (util-privs.c:93) <Info> (SCDropMainThreadCaps) -- dropped the caps for main thread
[2579] 8/2/2018 -- 11:01:01 - (util-logopenfile.c:535) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[2579] 8/2/2018 -- 11:01:01 - (util-logopenfile.c:535) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[2579] 8/2/2018 -- 11:01:01 - (output-json-email-common.c:455) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email body
[2579] 8/2/2018 -- 11:01:01 - (output-json-email-common.c:459) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email subject
[2579] 8/2/2018 -- 11:01:01 - (output-json-dnp3.c:384) <Info> (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized.
[2579] 8/2/2018 -- 11:01:01 - (output-tx.c:76) <Notice> (OutputRegisterTxLogger) -- JsonDNP3Log logger not enabled: protocol dnp3 is disabled
[2579] 8/2/2018 -- 11:01:01 - (output-json-dnp3.c:384) <Info> (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized.
[2579] 8/2/2018 -- 11:01:01 - (output-tx.c:76) <Notice> (OutputRegisterTxLogger) -- JsonDNP3Log logger not enabled: protocol dnp3 is disabled
[2579] 8/2/2018 -- 11:01:01 - (util-logopenfile.c:535) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[2580] 8/2/2018 -- 11:01:01 - (source-pcap-file.c:267) <Info> (ReceivePcapFileThreadInit) -- reading pcap file -
[2579] 8/2/2018 -- 11:01:01 - (tm-threads.c:2178) <Notice> (TmThreadWaitOnThreadInit) -- all 2 packet processing threads, 4 management threads initialized, engine started.
[2580] 8/2/2018 -- 11:01:01 - (util-checksum.c:86) <Info> (ChecksumAutoModeCheck) -- No packets with invalid checksum, assuming checksum offloading is NOT usedIn fast.log I have logs now:
02/08/2018-11:02:59.639388 [**] [1:2010937:2] ET POLICY Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 113.4.133.5:6000 -> 192.168.XX.XX:3306
02/08/2018-11:04:46.002455 [**] [1:2403354:38244] ET CINS Active Threat Intelligence Poor Reputation IP group 55 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 71.6.158.166:46640 -> 192.168.XX:XX:8889And I see alerts on Activity in main website. And of course, I can see rest alerts pushing bottom uper left corner and going to Kibana, its a great great job.
Now I will check to modify script start Suricata to start using that options and after, with an API connect to Mikrotik and ban IPs, which I did in another server.
A last doubt, are the rules updated regularly? Or I should do it hand? In another server I used oinkmaster to keep updated rules, in your SELKS I dont know how they are updated.
In any case, I have to thank you your job, it is very useful and wonderful.
pevma
commented
6 years ago Thanks for trying it out!
Yes - fast.log is irrelevant to displaying alerts in Scirius/Elasticsearch/Kibana.
For rule updates - there is a cronjob in /etc/crontab that updates the rules daily. You could adjust the timing from there if needed.
Hi,
I installed correctly the ISO, its a good job. But I have some doubts.
I have traffic on stats. eve.json... but I haven't any graph yet, how many time should I wait?
And How could I see a map with traffic? In his pictures appears but I am trying to surf around website but I can't find it.
Here last log suricata:
Thanks!