Author: pevma

0

Hey! Our new and upgraded showcase for Suricata has just been released – SELKS5 Beta. Thanks to lots of help from the community and dev work we are pleased to announce the first beta release of our new SELKS5.

Our major new features and additions include :

  • Suricata IDS/IPS/NSM 4.1-dev – latest Suricata packaged with new and enabled features like
    • Full Packet Capture enabled on SELKS  – yes, Suricata can do FPC as well.
    • Rust enabled
      • new protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2
      • more possibility for file extraction – SMTP/HTTP/SMB/NFS/FTP
    • Hyperscan enabled for extra performance boost.
  • Major upgrade from Elasticsearch/Kibana/Logtsash (ELK) 5.x to the ELK 6 stack making available a ton of new features and enhancements.
  • Scirius 3.0
    • New Hunt interface allowing for fast drill down approach enabling of filtering out the noise and concentrating on threats in seconds
    • Grouped rules factorization via usage of IP reputation feature of Suricata

  • Evebox – bugfixes and parsing improvements.
  • Debian – our favorite OS
  • Moloch  –  The new SELKS makes use of Moloch and Moloch viewer to parse and view the full packet capture done by Suricata. Moloch comes with an arsenal of tools and features on its own like:
    • CyberChef
    • Extremely flexible and easy to use interface for FPC drill down, filtering,search and pcap export

As always we are very thankful to the above Open Source projects and tools for making it possible to showcase Suricata and our new distro

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

Download

To download SELKS 5, pick one of the two flavors:

SELKS with desktop
  • HTTP: SELKS-5.0beta1-desktop.iso
  • MD5sum: af4ae135dd60baea7183ac5bdb4a5863
  • Sha1sum: 878348effeefda387677002cb0d1aab529752ad3
  • Sha256sum: d6cf5e0bd583315e9b10229a1c73938087e3377997317ceed508fc55e5239c19
SELKS without desktop
  • HTTP: SELKS-5.0beta1-nodesktop.iso
  • MD5sum: 3bfbb8cf626f0f2979f02148c2bad4f5
  • Sha1sum: 80d0b855608ad458781478d1e2e9fd41c56b0c06
  • Sha256sum: 34019555e07e0cf47b3fb1e260f7c0b024553267338f02df8f949a1ef208741f

Usage

You can find the start instruction including the initial setup script usage on SELKS 5.0 wiki page.

SELKS 4 user can upgrade their running systems using the following Upgrade instructions.

Visual tour

Some visuals to give you a glimpse of the things you can do with SELKS.

Scirius landing page - Administer, Hunt, Search, Drill down and filter, Correlate events and FPC

Scirius landing page – Administer, Hunt, Search, Drill down and filter, Correlate events and FPC

21 ready to use Kibana dashboards consisting of over 200 visualizations

21 ready to use Kibana dashboards consisting of over 200 visualizations

Moloch Suricata Plugin

Moloch Suricata Plugin

Moloch and CyberChef navigation, drill down and display

Moloch and CyberChef navigation, drill down and display

TLS GeoIP and sni breakdown

TLS GeoIP and sni breakdown

TLS version and sni

TLS version and sni

TFTP GeoIp and events over time

TFTPGeoIp and events over time

SSH proto fields and geoIP visualizations

SSH proto fields and geoIP visualizations

SMTP Geoip events

SMTP Geoip events

SMB Proto fields

SMB Proto fields

SMB Alert trends

NFS protocol fields visualizations

NFS protocol fields visualizations

KRB5 protocol fields visualizations

KRB5 protocol fields visualizations

KRB5 alerts trending, sources and GeoIP

KRB5 alerts trending, sources and GeoIP

IKEv2 GeoIP and events trending

IKEv2 GeoIP and events trending

IKEv2 protocol fields break down

IKEv2 protocol fields break down

NSM and IDS time series

NSM and IDS time series

Rich HTTP details correlation and FPC

Rich HTTP details correlation and FPC

HTTP protocol data and GeoIP visualizations

HTTP protocol data and GeoIP visualizations

Fileinfo break don by protocols

Fileinfo break don by protocols

DNS protocol visualizations by fields

DNS protocol visualizations by fields

DNS Heat maps

DNS Heat maps

DNP3 event details correlation and FPC

DNP3 event details correlation and FPC

DNP3 protocol fields and sources info

DNP3 protocol fields and sources info

DHCP protocol fields visualizations, events correlation and FPC availability

DHCP protocol fields visualizations, events correlation and FPC availability

Application layer protocols breakdown

Application layer protocols breakdown

Application layer protocols breakdown -2

Application layer protocols breakdown -2

Application layer protocols breakdown -3

Application layer protocols breakdown -3

Per VLAN details and visualizations

Per VLAN details and visualizations

Per alert event details, metadata, correlation and FPC

Per alert event details, metadata, correlation and FPC

Helpful NSM birds eye views and selections

Helpful NSM birds eye views and selections

Alert event break down by protocol and GeoIP visualization

Alert event break down by protocol and GeoIP visualization

TrafficID

TrafficID

Moloch visualizations, easy filtering and drill down

Moloch visualizations, easy filtering and drill down

Moloch per flow/session visualizations, easy filtering and drill down

Moloch per flow/session visualizations, easy filtering and drill down

 

Feedback is welcome

Any feedback as always is greatly appreciated! 🙂

Give us feedback and get help on:

While this test upgrade/installation has been verified and tested please make sure you try it in your test/QA set up first.

Thank you!

 

 

 

 

0

This first edition of SELKS 4 is available from Stamus Networks thanks to a great and helpful feedback from our open source community – Thank you! This new major release features a version jump for all the main software stacks. Suricata switches from 3.2 to 4.0, Elastic stack is ugpraded from 2.5 to 5.5 and even Debian is now Stretch, the latest stable release.

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

This is a major new release featuring all components upgrade and of course latest Suricata.

New Features

  • Suricata IDS/IPS/NSM 4.0.x – latest Suricata packaged with Hyperscan enabled for extra performance boost. The latest edition of Suricata among many fixes and improvements includes:
    • extra alert data like for example http body added to the alert json logs wherever available
    • protocol renegociation which means STARTTLS and CONNECT support
  • Major upgrade from Elasticsearch/Kibana/Logtsash (ELK) 2.x to the ELK 5 stack making available a ton of new features and enhancements.
  • Scirius 1.2.4 – bugfixes, better correlation capability with EveBox and introduction of IPS rules support.
  • Evebox – many new features including reporting and comments on the log events.
  • Debian Stretch – All new OS features, kernel and tools.

As always – as a Stamus Networks extra sauce the latest stable kernel (4.12.8 at the time of this writing) is available for install if you wish.

Download

To download SELKS 4:

  • SELKS with desktop: Torrent, HTTP (MD5sum: 70783e4d441932103c3410c0b778b401)
  • SELKS without desktop: Torrent, HTTP (MD5sum: 335e31cd2b3a864f432c7d57efe007cd)

Usage

To remotely access the web management interface :

  • https://your.selks.IP.here/ – Scirius ruleset management and a central point for all dashboards and EveBox alert and event management.

Usage and logon credentials (OS and web management user)

  • user: selks-user
  • password: selks-user (password in Live mode is live)

The default root password is StamusNetworks

Visual tour

Some visuals to give you a glimpse of the things you can do with SELKS.

Scirius – ruleset manager and dashboard central management console.

Scirius – rule availability by ruleset information.

Scirius- “google” search your rules

Dashboards – mail attachments

Dashboards – mail application supplemental info

Dashboards – DNS geoip heat map

Dashboards – VLAN supplemental info

Dashboards – availability of full events correlation via EveBox and Scirius

Dashboards – extra http data for better visibility.

Dashboards – ssh data available for drill/break downs as well.

Dashboards – dns events at a glance

Dashboards – alert supplemental log information.

EveBox reporting

Dashboards – valuable break down of alert data information.

Dashboards – break down of http user agents that have generated alerts

EveBox – alert comments availability.

 

 

Howto

Upgrade from SELKS 3

To upgrade your existing SELKS 3 to SELKS 4 preview, please refer to SELKS-3.0-to-SELKS-4.0-upgrades wiki page.

Create your own ISO

SELKS 4 is available for download ready to use (as explained at the beginning of the article).

However – if you want to you can create and/or customize your own SELKS 4 ISO

Once installed
  • Please refer to Initial Setup section of the documentation
  • Keep your SELKS up to date
  • Recommended initial set up for SELKS 4.0 is 2CPUs 5-6Gb RAM
  • If you need to reset/reload all the dashboards  – you can do like so
    • In Scirius on the top left corner drop down menu select System Settings
    • click on the Kibana tab
    • choose Reset SN dashboards

Feedback is welcome

Any feedback as always is greatly appreciated! 🙂

Give us feedback and get help on:

Thank you!

0

After a very valuable round of testing and feedback from the community  we are pleased to announce the SELKS 4 RC1 availability.

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

This is a the release candidate of a new major branch with an updated storage visualization stack and latest Suricata.

New Features

  • Suricata IDS/IPS/NSM 4.0.x – latest git master Suricata packaged with Hyperscan enabled for extra performance boost. This edition of Suricata besides many improvements and bug fixes also includes extra alert data like for example http body added to the alert json logs wherever available.
  • Elasticsearch 5.5.0  – part of the ELK5 stack upgrade making available a ton of new features and enhancements.
  • Logstash 5.5.0 – performance improvement over 2.x and ES5 compatibility.
  • Kibana 5.5.0 – taking advantage of the latest dashboarding features of ES.
  • Scirius 1.2.2 – bugfixes, better correlation capability with EveBox and introduction of IPS rules support.
  • Evebox – many new features including reporting and comments on the log events.
  • Debian Stretch – All new features, kernel and tools.

EveBox

Alert event with a comment field.

Kibana

Verbose HTTP logging

Kibana

GeoIP heat maps

EveBox

Supplemental alert data logging

 

Download

To download SELKS4-RC1:

Usage

Usage and logon credentials (OS and web management user)

  • user: selks-user
  • password: selks-user (password in Live mode is live)

The default root password is StamusNetworks

To remotely access the web management interface :

  • https://your.selks.IP.here/ – Scirius ruleset management and a central point for all dashboards and EveBox alert and event management.

Howto

Upgrade

To upgrade your existing SELKS 3 to SELKS 4 preview, please refer to SELKS-3.0-to-SELKS-4.0-upgrades wiki page.

It is recommended to follow the onscreen instructions and if needed answer “yes” to all changes. At the end of the upgrade you will be asked to enter the interface that you will use for IDS/sniffing. Please enter (eth0 for example) the interface name and reboot when the script is done.

Create your own ISO

To create your own SELKS 4 preview ISO (if your host OS is Jessie):

git clone https://github.com/StamusNetworks/SELKS.git
git checkout SELKS4-dev
./install-deps.sh
cd /usr/share/live/build/data/debian-cd/ && ln -s squeeze stretch
./build-debian-live.sh

It will take probably 30-40 min and you should end up with the SELKS.iso under the Stamus-Live-Build folder.

Once installed/upgraded
  • Please feel free to choose the IDS sniffing/listening interface either via the desktop icon Setup-IDS-Interface or via the cmd calling /opt/selks/Scripts/Setup/setup-selks-ids-interface.sh
  • Any further upgrades are done via a wrapper script located in /opt/selks/Scripts/Setup/selks-upgrade_stamus.sh
  • Recommended set up for SELKS 4.0RC1 is 2CPUs 5-6Gb RAM
  • If you need to reset/reload all the dashboards  – you can do like so
    • In Scirius on the top left corner drop down menu select System Settings
    • click on the Kibana tab
    • choose Reset SN dashboards

Feedback is welcome

Give us feedback and get help on:

While this test upgrade/installation has been verified and tested and aims at upgrading your current SELKS 3.0 to  SELKS 4.0RC1 please make sure you try it in your test/QA set up first and give us any feedback.

Thank you!

0

Yes, we did it: the most awaited SELKS 3.0 is out. This is the first stable release of this new branch that brings you the latest Suricata and Elastic stack technology.

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

Suricata page in Scirius

Suricata page in Scirius

Main changes and new features

Suricata 3.1.1

SELKS 3.0 comes with latest Suricata namely 3.1.1 bringing a big performance boost as well as some new IDS and NSM capabilities.

Elasticsearch 2.x and Kibana 4

But the main change in SELKS 3.0 is the switch to the latest generation of the Elastic stack. On user side this means Kibana 3 has been replaced by Kibana 4. And this really means a lot. Kibana 4 is a complete rewrite of Kibana 3 being non backward compatible on data side. So, our team had to redo from scratch all dashboards and visualizations. The result is a new set of 11 ready-to-use dashboards and a lots of visualizations that you can use to build your own dashboards.

Kibana Alert dashboard

Kibana Alert dashboard

correlate-alerts

Complete flow and rule correlation view of an alert

Latest Scirius Community Edition

On the ruleset management side, SELKS 3.0 comes with Scirius Community Edition 1.1.10 that has support for advanced Suricata feature like xbits.

Thresholding

Suppression with Scirius

Thresholding-1

Threshold and suppress ruleset view with Scirius

Thresholding-2

Thresholding with Scirius

Scirius CE also brings thresholding and suppression support as well as an integrated backup system which allows for back up to be done (besides locally) in locations such as :

  • FTP
  • Amazon AWS
  • Dropbox
Evebox

SELKS 3.0 comes with Evebox an alert management/viewer/report interface for Suricata that presents events as a mailbox to provide classification via acknowledgement and escalade.

Mailbox view in Evebox

Mailbox view in Evebox

One of the other interesting features of Evebox is the capability to create and export pcap generated from events:

Pcap-1

Payload pcap generation (Evebox)

Pcap-2

Payload pcap generation (Evebox)

Features list

  • Suricata IDS/IPS/NSM  – Suricata 3.1.1 packaged.
  • Elasticsearch 2.3.5  – latest available ES edition featuring speed, scalability, security improvements and more.
  • Logstash 2.3.4 – performance improvement ES 2.3 compatability, dynamically reload pipelines on the fly and more
  • Kibana 4.5.4 – taking advantage of the latest features and performance improvement of ES
  • Scirius 1.1.10 – support for xbits, hostbits, thresholding, suppression, backup and more
  • Evebox – alert management/viewer/report interface for Suricata/ES  allowing easy export of payload/packets into pcaps
  • 4.4.x longterm kernel – SELKS 3.0 comes by default with 4.4.16 kernel.
  • Dashboards – reworked dashboards with flow and rule correlation capability.

SELKS comes with 11 ready to use Kibana dashboards. More than 190 visualizations are available to mix, match, customize and make your own dashboards as well.

Please feel free to try it out, spread the word, feedback and let’s talk about SELKS 3.0.

To get you started

Once downloaded and installed, you can get access to all components via https://your.selks.IP.here/

The default user and password for both web interface and system is:

  • user: selks-user
  • password: selks-user

The default root password is StamusNetworks.

Please note that in Live mode the password for the selks-user system user is live.

Upgrades

There is no direct upgrade path from SELKS 2.0 to SELKS 3.0 due to a number of breaking and compatibility changes in Elasticsearch 1.x to 2.x and Kibana 3.x to 4.x. The only proposed upgrade path is SELKS 3.0RC1 upgrade to SELKS 3.0

More about SELKS 3.0

0

After some hard team work, Stamus Networks is proud to announce the availability of SELKS 3.0RC1.

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

This is a the release candidate of a new major branch with an updated storage visualization stack and latest Suricata.

New Features

  • Suricata IDS/IPS/NSM 3.0.x – latest git master suricata packaged.
  • Elasticsearch 2.3  – latest available ES edition featuring speed, scalability, security improvements and more.
  • Logstash 2.3 – performance improvement ES 2.3 compatability, dynamically reload pipelines on the fly and more
  • Kibana 4.5 – taking advantage of the latest features and performance improvement of ES
  • Scirius 1.1.6 – support for xbits, hostbits, thresholding, suppression, backup and more
  • Evebox – alert management/viewer interface for Suricata/ES  allowing easy export of payload into pcaps

SELKS comes with 11 ready to use Kibana dashboards using more than 190 visualisations.

Please feel free to try it out, spread the word, feedback and let’s talk about SELKS 3.0.

Thresholding-2

Thresholding with Scirius

Thresholding

Suppression with Scirius

Thresholding-1

Threshold and suppress ruleset view with Scirius

 

Pcap-1

Payload pcap generation (Evebox)

Pcap-2

Payload pcap generation (Evebox)

 

Dashboard-3

Dashboards

Dashboard-1

Dashboards

 

 

 

To get you started (the download link is below this paragraph):

Once installed in order to upgrade all components follow the guide here.

Usage and logon credentials (OS user)  – user: selks-user, password: selks-user (password in Live mode is live). The default root password is – StamusNetworks

Upon log in double click the Scirius icon on the desktop. Credentials are  – user: selks-user, password: selks-user. In the left upper corner click the drop down menu and choose “ALL” dashboards. Choose default index(click on logstash-* and then the green star) as depicted below. Then choose “Dashboards” and choose your desired dashboards from the 11 available.

enable-index-kibana

 

More about SELKS 3.0RC1

0

 

Stamus Networks is proud to announce the availability of SELKS 2.1  release.

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

This is a major SELKS upgrade.

New Features

  • Elasticsearch 1.7  – upgrade from 1.5 (security fixes and faster recovery after restart)
  • Scirius 1.1 – upgrade from 1.0 (suricata and logstash performance stats)
  • Logstash 1.5.4 – upgrade from 1.4 (performance improvement
    in JSON handling and better security)

 

Some screenshot examples

Source addition page

Suricata memory usageElasticsearch and Logstash information

 

UPGRADE from SELKS 2.0

For those that use SELKS 2.0 and would like to do an in place upgrade to SELKS 2.1 you can follow THIS GUIDE.

NOTE: Please make sure that you test the upgrade in your test/QA environment first before doing it on your production systems.

Please note that default login/password for HTTPS access (Dashboards or Scirius icons) is selks-user/selks-user.

More about SELKS 2.1

0

Introduction

This is a short tutorial of how you can find and store to disk a self signed TLS certificates with Suricata IDPS and Lua (luajit scripting).

What does self signed TLS certificate mean – the quick version  from Wikipedia here. In other words – “certificate that is signed by the same entity whose identity it certifies” or anyone can create and deploy such a certificate. This kind of events are signed of some poorly setup TLS servers and that’s why it is good to keep an eye on such events in your network for the purpose of contingency monitoring – the very least.

TLS support in Suricata allows you to do match on TLS subject, TLS issuer DN and things like TLS fingerprint. For instance, one can do

alert tls any any -> any any (msg:"forged ssl google user";
            tls.subject:"CN=*.googleusercontent.com";
            tls.issuerdn:!"CN=Google-Internet-Authority"; sid:8; rev:1;)

to detect that the TLS issuer DN is not the one we were waiting for a given TLS subject. But there is no way to compare the two different fields. So how do we catch all those self signed certificates without knowing any details about them and/or any network/domain/port specifics either. And we want them all caught and stored to disk!

This case is one example where the Lua support in Suricata IDPS  shines – more than shines actually because it empowers you to do much more than chasing packet bytes with rule keywords and using PCREs inside a rule – and all those still deliver limited functionality in this particular scenario.

Lua and Suricata

Since version 2.0, Suricata has support for Lua scripting. The idea is to be able to decide if an alert is matching based on the return of a lua script. This script is taking some fields extracted by Suricata (the magic of it all) as parameters and return 1 in case of match and 0 if not. This lua scripting allows rules to implement complex logic that would be impossible with the standard rule language. For instance, Victor Julien was able to write a performant Heartbleed detection with lua scripting in the afternoon (the very same day) the problem/exploit was announced.

The syntax is the following, you prefilter with standard signature language, and you add a lua keyword with parameter being the script to run in case of partial match:

alert tls any any -> any any ( \
    msg:"TLS HEARTBLEED malformed heartbeat record"; \
    content:"|18 03|"; depth:2; lua:tls-heartbleed.lua; \
    classtype:misc-attack; sid:3000001; rev:1;)

For more information on Suricata Lua scripting, please read how to write luascripts for Suricata.

For self signed certificate detection, you need to write a script – shall we say “self-signed-cert.lua” and save it in your /etc/suricata/rules directory. Then you can use it in a rule like so –

alert tls any any -> any any (msg:"SURICATA TLS Self Signed Certificate"; \
  flow:established; luajit:self-signed-cert.lua; \
  tls.store; classtype:protocol-command-decode; sid:999666111; rev:1;)

Now let us explain that in a bit more detail below.

At the time of this writing we are using this branch in particular – TLS Lua rebased . This is going to be merged to the Suricata git (latest dev) soon and later into beta, stable editions.

You need to make sure Suricata is compiled with Lua enabled:

# suricata --build-info
This is Suricata version 2.1dev (rev b5e1df2)
...
Prelude support:                         no
PCRE jit:                                yes
LUA support:                             yes
libluajit:                               yes
libgeoip:                                yes
...

In suricata.yaml make sure the tls section is enabled:

# a line based log of TLS handshake parameters (no alerts)
- tls-store:
  enabled: yes  # Active TLS certificate store.
  certs-log-dir: certs # directory to store the certificates files

We have the following rule file (self-sign.rules) content located in /etc/suricata/rules/ :

alert tls any any -> any any (msg:"SURICATA TLS Self Signed Certificate"; \
  flow:established; luajit:self-signed-cert.lua; \
  tls.store; classtype:protocol-command-decode; sid:999666111; rev:1;)

Make sure you add the rule to your rules files loaded in suricata.yaml and that you copy the associated lua script in the same directory. Here you can find the self-signed-cert.lua script.

Then you can start Suricata IDPS the usual way you always do.

The active part of the lua script is the following:

function match(args)
    version, subject, issuer, fingerprint = TlsGetCertInfo();
    
    if subject == issuer then
        return 1
    else
        return 0
    end
end

When suricata will see a TLS handshake (regardless of IP/port), it will run the Lua script. This one uses the fact that an equality between subject and issuer DN constitutes most of the self-signed certificates. When it finds such an equality it will return 1 and an alert will be generated.

This script is showing a really basic but useful code. However you can use all the power of Lua with the given info to do whatever you want/need.

The result

self-cert-extract

Extracted self signed SSL certificate

Some meta data about the certificate (in /var/log/suricata/certs/ you will find the .meta and pem  files):

TIME:              07/14/2015-14:45:16.757001
SRC IP:            10.0.2.15
DST IP:            192.168.1.180
PROTO:             6
SRC PORT:          49966
DST PORT:          443
TLS SUBJECT:       C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
TLS ISSUERDN:      C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
TLS FINGERPRINT:   80:e7:af:49:c3:fe:9a:73:78:29:6b:dd:fd:28:9e:d9:c9:15:3e:18

 

Further more from the alert info in JSON format (/var/log/suricata/eve.json log) we also have extra TLS info for the generated alert :

{"timestamp":"2015-07-14T14:45:18.076794+0200","flow_id":137451536,"in_iface":"eth0",
"event_type":"alert","src_ip":"192.168.1.180","src_port":443,"dest_ip":"10.0.2.15","dest_port":49966,"proto":"TCP","alert":
{"action":"allowed","gid":1,"signature_id":999666111,"rev":1,"signature":"SURICATA TLS Self Signed Certificate","category":"Generic Protocol Command 
Decode","severity":3},"tls":{"subject":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS","issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, 
CN=SELKS","fingerprint":"80:e7:af:49:c3:fe:9a:73:78:29:6b:dd:fd:28:9e:d9:c9:15:3e:18","version":"TLS 1.2"}}

To get the extra TLS info in the JSON alert you need to enable it in the suricata.yaml like so:

  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream
      filename: eve.json
      types:
        - alert:
            #payload: yes           # enable dumping payload in Base64
            #payload-printable: yes # enable dumping payload in printable (lossy) format
            #packet: yes            # enable dumping of packet (without stream segments)
            http: yes              # enable dumping of http fields
            tls: yes               # enable dumping of tls fields <<---
            ssh: yes               # enable dumping of ssh fields

so you can get all the JSON data in Kibana/Elasticsearch as well.

Conclusion

If you would like to learn more about what can you do with Lua and Suricata IDPS, those links below will put you off to a good start:

0

Stamus Networks is proud to announce the availability of SELKS 2.0  release.

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

This is a major SELKS upgrade.

New Features

  • Debian Jessie based  – With Debian Jessie  being released last week  – 25 April   SELKS makes the switch as well (from Debian Wheezy and 3.2 kernel). The new Debian release Jessie will enable SELKS for much better HW compatibility, new kernel 3.16 and all the performance improvements, features and benefits with it right out of the box.
  • Elasticsearch 1.5  – upgrade from 1.4
  • Scirius 1.0 – upgrade from 1.0rc3

 

Some screenshot examples

Scirius

SELKS2.0-Scirius-2

Screenshot from 2015-04-20 22:07:08

IDS/IPS dashboards
SELKS2.0-1

12 ready to use IDS/IPS dashboards

VLAN3

By VLAN break down File Transactions/SSH

VLAN2

By VLAN break down DNS/TLS

SMTP-Attachments

By file attachment breakdown SMTP

VLAN1

By VLAN break down Alerts/HTTP

UPGRADE from SELKS1.2

For those that use SELKS 1.2 and would like to do an in place upgrade to SELKS 2.0 you can follow THIS GUIDE.

NOTE: Please make sure that you test the upgrade in your test/QA environment first before doing it on your production systems.

Please note that default login/password for HTTPS access (Dashboards or Scirius icons) is selks-user/selks-user.

More about SELKS 2.0

0

Stamus Networks is proud to announce the availability of SELKS 2.0 BETA1 release. With Jessie getting a target release date for 25 April 2015  SELKS will make the switch as well. The new Debian release Jessie will enable SELKS for much better HW compatibility, new kernel (3.16) and all the performance improvements, features and benefits with it right out of the box.

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

Please give it a try and do not hesitate to feed back!

SELKS2.0Beta1-1

 

 

Download SELKS 2.0 BETA1

More information: Howto and README

Follow us on Twitter, Google+ and Github

Get help at Freenode IRC on the #SELKS channel and/or  Google Mailing list.

 

0

Stamus Networks is proud to announce the availability of SELKS 1.2 stable release. SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

New features:

  • Suricata 2.1beta3  – Lua support for Stats output and Modbus parsing and matching as additional main features
  • Scirius 1.0-rc2 rule manager
  • Elasticsearch 1.4.3  – upgrade from 1.1.2
  • New Desktop icons – easy access to Dashboards and Scirius
  • Conkya free, light-weight system monitor for X, that displays any information on your desktop.”

 

system-status-scirius

Desktop-SELKS1.2

Desktop icons and Conky

You can download SELKS 1.2 from Stamus Networks’ open source page. Happy users of SELKS 1.1 can upgrade to SELKS 1.2 by using the traditional apt-get update && apt-get dist-upgrade. Please note that default login/password for HTTPS access (Dashboards or Scirius icons) is selks-user/selks-user.

NOTE – Elasticsearch upgrade for SELKS

If you were running Elasticsearch 1.1.2 with SELKS 1.1 this is the way to upgrade to Elasticsearch 1.4.3:

make sure your /etc/apt/sources.list.d/elasticsearch.list  looks like so

root@SELKS:~# cat /etc/apt/sources.list.d/elasticsearch.list
deb http://packages.elasticsearch.org/elasticsearch/1.4/debian stable main
deb http://packages.elasticsearch.org/logstash/1.4/debian stable main

then run

apt-get update && apt-get dist-upgrade

Please make sure you consider some testing/verification for ES in a QA/test environment before doing the upgrade in the production environment.

Download SELKS 1.2

More information: Howto and README

Follow us on Twitter, Google+ and Github

Get help at Freenode IRC on the #SELKS channel and/or  Google Mailing list.