October 2014

0

Stamus Networks supports its own generic and standard Debian Wheezy 64 bit packaging repositories for

These repositories provide Debian package for the newest Suricata IDS/IPS , htp releases and newest long-term stable kernel level version. SELKS already includes those repositories under /etc/apt/sources.list.d/selks.list.

You can use as follows:

wget -O – -q http://packages.stamus-networks.com/packages.stamus-networks.com.gpg.key | apt-key add – && \
apt-get update

Then  you can add the following :

deb http://packages.stamus-networks.com/debian/ wheezy main
deb http://packages.stamus-networks.com/debian-kernel/ wheezy main

in /etc/apt/sources.list.d/stamus.list for example.

The repositories contain packages for the long-term stable kernel level version. So if you would like to upgrade to the latest long-term supported kernel you can just do (on Debian):

apt-get update && apt-get upgrade
apt-get install linux-libc-dev linux-headers-3.14.19-stamus linux-image-3.14.19-stamus

 

UpgradeKernel

Kernel Packages

UpgradeKernel2

Kernel Upgrade

UpgradeKernel3

Verification

Those repos are included by default in SELKS.

Anther example:

apt-get install suricata

After giving a talk about malware detection and suricata, Eric Leblond gave a lightning talk to present SELKS at hack.lu conference.

Screenshot from 2014-10-23 13:46:02

You can download the slides here: 2014 hacklu selks

Introduction

SELKS 1.0 is featuring a privacy dashboard. This is a dashboard focusing on HTTP and TLS protocols. The used data source is events generated by Suricata for these two protocols. The goal of this dashboard is to show the different interaction between website. For example, you will see on the following video that opening elysee.fr which is the French president website is triggering the opening of page on Facebook and Google Analytics. This means that both Facebook and Google knows you’ve went to the presidential website.

Setup

The setup of the demonstration is simple as we are connecting to the web on the virtual machine. This has been done because it was easier to record the screencast in that case. But the most interesting setup consists in sniffing the traffic of the physical host from SELKS running on the virtual machine. This way, SELKS will analyse your local traffic and you will be able to see in SELKS all the events coming from your real internet life.

The setup is simple. In Virtualbox, go to the machine details and click on network. Then choose to bridge your physical network interface and allow promiscuous mode on the interface:

Screenshot from 2014-10-19 12:10:43

Demonstration

Watch the following video to discover how this dashboard can be used:

An other way to use this privacy dashboard is to use one of the filter. For instance, if we filter on http.http_refer:"http://www.whitehouse.gov" we get a dashboard containing all HTTP events with a referrer being the US president website. So if you look at the hostname on the following screenshot, you will see that going on whitehouse.gov also lead you to external websites

Whitehouse links

My favorite in this list is www.youtube-nocookie.com but something like cloud.typography.com is really interesting too. Even a website like whitehouse.gov is not anymore hosting is own fonts.

The privacy dashboard is also containing TLS information extracted by Suricata. It lists TLS connections done on well know wesbite such as Facebook, Twitter or Google. For example, we can see that going on CNN cause some TLS hits on Twitter and Facebook.
Screenshot from 2014-10-19 12:00:45
TLS being encrypted we can’t prove this link and that’s the short time frame that stand for a proof of the link between websites.

Conclusion

SELKS privacy dashboard is just an example of what you can achieve in SELKS by using Suricata network security monitoring capabilities. The demonstration shown here is local but don’t forget you can do it at the level of a whole network.

0

Stamus Networks is proud to announce the availability of SELKS 1.0 stable release. SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

Screenshot from 2014-10-15 21:39:11
You can download SELKS from SELKS main page.

SELKS is comprised of the following major components:

It offers proven, powerful, innovative and scalable open source multi-threading technologies in a bundle.

SELKS 1.0 comes with 10 pre-installed Kibana IDS/NSM dashboards. They cover analysis of the Suricata alerts and events with per-protocol dashboards (Alerts, HTTP, Flow, SSH, TLS,DNS …). Some dashboards are also dedicated to more specific tasks – like the PRIVACY dashboard:
Screenshot from 2014-10-15 21:28:27
It shows privacy related information such as which page are leading to well know personal data providers such as Facebook, Twitter or Google.

SELKS provides Scirius – a rules management interface for Suricata. Scirius has been developed by Stamus Networks to provide interaction with Kibana and Elasticsearch. It displays for example statistics on rules and links to existing Kibana dashboards:
Screenshot from 2014-10-15 21:17:37

Scirius provides up-to-date signatures via EmergingThreats Open (or PRO ) ruleset and SSL abuse.ch signatures
Screenshot from 2014-10-15 21:18:29

Scirius can be upgraded via standard Debian method (apt-get upgrade). Stamus Networks is also determined to provide the latest stable Debian kernel release for SELKS. Upgrade to the latest stable kernel is easy via the package system. For example, it is possible for the user running the installed version to upgrade the kernel to the latest 3.14 version:

kernel-upgrade-3.14.21
Scirius 1.0rc1 can upgrade to the 1.0 version by running apt-get dist-upgrade

The list of provided Kibana dashboards will be augmented in the future and this will be done seamlessly via the Debian packaging system and Kibana autodiscovery:

Kibana-dashboards

We really hope you will enjoy SELKS  an enterprise-grade IDS and Network Security Monitoring system in 30 seconds.

How to and README

Follow us on Twitter, Google+ and Github

Lets talk about SELKS…