Our Blog

0

eBPF and XDP support is one of the latest evolutions of the Suricata engine’s performance capabilities. These two technologies have been introduced recently for the Linux kernel and Suricata is one of the first well established and mature projects to make use of them. eBPF was introduced in the Linux kernel to be able to run user provided code safely inside the Linux kernel and XDP is running eBPF code on the network data path, as close as possible to the Network Interface Card.

The initial support for eBPF and XDP was initially available in Suricata’s 4.1, released in November 2018, and it has been greatly enhanced in Suricata 5.0. The development team at Stamus Networks, lead by Éric Leblond, has been the primary developer of eBPF and XDP support within Suricata. The latest additions, list of features and potential use cases enabled by eBPF and XDP are becoming more significant, even vital, making this an opportune time to provide a high level overview for the community. This is the purpose of this article written by Éric Leblond and Peter Manev.

Download the whitepaper: Introduction to eBPF and XDP support in Suricata

Stamus Networks

Stamus Networks has created a Network Traffic Analyzer (NTA), which uses network communications as a foundational data source for detecting security events, and married it with an Intrusion Detection System (IDS), which provides deep packet inspection of network traffic using a rules based engine. The combination of these two approaches, done simultaneously in a single solution, provides a level of correlated data never previously achieved. We then added a Threat Hunting interface to allow security practitioners the ability to quickly and efficiently search through this security data to examine, validate, and resolve the security incidents that they face on a daily basis.

Suricata

Suricata is a free and open source, mature, fast and robust network threat detection engine.
The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.
Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.

Suricata’s fast paced community driven development focuses on security, usability and efficiency. The Suricata project and code is owned and supported by the Open Information Security Foundation (OISF), a non-profit foundation committed to ensuring Suricata’s development and sustained success as an open source project.

0

SELKS 5 is out! Thank you to the whole community for your help and feedback! Thank you to all the great Open Source projects and tools mentioned below for making it possible to showcase Suricata with this new release.

All components have been upgraded in this release to the latest version available but this is not the main improvement. SELKS is now able of doing Full Packet Capture thanks to Suricata and Moloch and benefit from an upgraded Scirius CE adding a new threat hunting interface.

Alert metadata in Scirius Hunting interface

Moloch addition allows the user to investigate and explore captured data via the Moloch viewer that provide an intuitive interface. The new Scirius threat hunting interface proposes a drill-down approach that allow to quickly find relevant alerts in a haystack and start investigation by what matter.

Features, fixes and major improvements:

  • The whole stack has been upgraded
    • Over 21 new dashboards
    • Hundreds of visualizations
    • New Threat Hunting interface
    • Full Packet Capture possibility
  • Elasticsearch 6.7.1
  • Logstash 6.7.1
  • Kibana 6.7.1
  • Moloch 1.8.0  –  The new SELKS makes use of Moloch and Moloch viewer to parse and view the full packet capture done by Suricata. Moloch comes with an arsenal of tools and features on its own like:
    • CyberChef
    • Extremely flexible and easy to use interface for FPC drill down, filtering, search and pcap export
  • Scirius 3.2.0 CE
      • Threat Hunting based on Suricata’s alerts metadata
      • Administration, ruleset and threat hunting management
      • Any field and action are selectable and searchable
      • Order and set up your own threat hunting dashboard in seconds with drag and drop functionality

TLS Server Name Identification

HTTP UserAgent selection

 

Easily select and filter on any metadata

Easily select and filter on any metadata

 

  • Suricata  – latest git edition anytime available.
  • SELKS scripts upgrade
    • available now system wide in “/usr/bin”
    • Full packet Capture retention policy – thanks Joren0494 !
    • selks-health-check_stamus  – SELKS health check script
  • Debian – always thankful !
  • EveBox – always the latest and very thankful for your support and extremely fast bug fixing and feature addition

More  screenshots of SELKS 5 release 

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

Download

To download SELKS 5, pick one of the two flavors:

SELKS with desktop
  • HTTP: SELKS-5.0-desktop.iso
  • Sha256sum: 60c52286df9d1d250efac3f24644bd5b59bf5728d2c50bd722d8e4c9e8ce2089
SELKS without desktop

Usage

You can find the first time set up instructions on our SELKS 5.0 wiki page.

SELKS 4 user can upgrade their running systems using the following Upgrade instructions.

Feedback is welcome

Any feedback as always is greatly appreciated! 🙂

Give us feedback and get help on:

While this test upgrade/installation has been verified and tested please make sure you try it in your test/QA set up first.

Thank you!

 

0

Hi!
Yet another upgrade of our SELKS. We are very thankful to all the great  Open Source projects and tools for making it possible to showcase Suricata with our new distro.
Features and fixes post SELKS 5 Beta :

  • Elasticsearch 6.5.3
  • Logstash 6.5.3
  • Kibana 6.5.3
  • Moloch 1.6.2  –  The new SELKS makes use of Moloch and Moloch viewer to parse and view the full packet capture done by Suricata. Moloch comes with an arsenal of tools and features on its own like:
    • CyberChef
    • Extremely flexible and easy to use interface for FPC drill down, filtering,search and pcap export
  • Scirius 3.1.0 CE
    • Administration, ruleset and threat hunting management
    • Blazing fast drill down and search capability through millions of events with milliseconds response time
    • Easy filter and grouping of alerts
    • Any field and action is selectable and searchable
    • Select or negate filter
    • Order and set up your own threat hunting dashboard in seconds with drag and drop functionality
    • Scirus Alerting rules event details

      Scirus Alerting rules event details

  • Suricata  – always latest git edition and features available.
  • SELKS scripts upgrade
    • available now system wide in “/usr/bin”
    • Full packet Capture retention policy – thanks Joren0494 !
  • Thank you for all the major community contributors form the community
  • Debian – always thankful !
  • EveBox – always the latest and very thankful for your support and extremely fast bug fixing and feature addition

Read more about the features and browse through screenshots of major SELKS 5 release 

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

Download

To download SELKS 5, pick one of the two flavors:

SELKS with desktop
  • HTTP: SELKS-5.0RC1-desktop.iso
  • MD5sum: 192aa38436dcee6c98a6ae36d9e3b7df
  • Sha1sum: f48c0fe1edaaa8817c0a9043cb29e3edee4af93e
  • Sha256sum: 9f55a9ff4ee5c4c3c67646d0d5ae4e343f01f6abaf8e433ee9e3e78426c2f3e7
SELKS without desktop
  • HTTP: SELKS-5.0RC1-nodesktop.iso
  • MD5sum: 27733887bd1ad20c61d9be4973a66074
  • Sha1sum: dde637f8639254879ada06b9b68e691c3c904748
  • Sha256sum: b32370a35785f336d863d763372820ec13987c3a83a974f26d849eb81f721f4f

Usage

You can find the start instruction including the initial setup script usage on SELKS 5.0 wiki page.

SELKS 4 user can upgrade their running systems using the following Upgrade instructions.

Feedback is welcome

Any feedback as always is greatly appreciated! 🙂

Give us feedback and get help on:

While this test upgrade/installation has been verified and tested please make sure you try it in your test/QA set up first.

Thank you!

 

0

Hey! Our new and upgraded showcase for Suricata has just been released – SELKS5 Beta. Thanks to lots of help from the community and dev work we are pleased to announce the first beta release of our new SELKS5.

Our major new features and additions include :

  • Suricata IDS/IPS/NSM 4.1-dev – latest Suricata packaged with new and enabled features like
    • Full Packet Capture enabled on SELKS  – yes, Suricata can do FPC as well.
    • Rust enabled
      • new protocols SMBv1/2/3, NFSv4, Kerberos, FTP, DHCP, IKEv2
      • more possibility for file extraction – SMTP/HTTP/SMB/NFS/FTP
    • Hyperscan enabled for extra performance boost.
  • Major upgrade from Elasticsearch/Kibana/Logtsash (ELK) 5.x to the ELK 6 stack making available a ton of new features and enhancements.
  • Scirius 3.0
    • New Hunt interface allowing for fast drill down approach enabling of filtering out the noise and concentrating on threats in seconds
    • Grouped rules factorization via usage of IP reputation feature of Suricata

  • Evebox – bugfixes and parsing improvements.
  • Debian – our favorite OS
  • Moloch  –  The new SELKS makes use of Moloch and Moloch viewer to parse and view the full packet capture done by Suricata. Moloch comes with an arsenal of tools and features on its own like:
    • CyberChef
    • Extremely flexible and easy to use interface for FPC drill down, filtering,search and pcap export

As always we are very thankful to the above Open Source projects and tools for making it possible to showcase Suricata and our new distro

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

Download

To download SELKS 5, pick one of the two flavors:

SELKS with desktop
  • HTTP: SELKS-5.0beta1-desktop.iso
  • MD5sum: af4ae135dd60baea7183ac5bdb4a5863
  • Sha1sum: 878348effeefda387677002cb0d1aab529752ad3
  • Sha256sum: d6cf5e0bd583315e9b10229a1c73938087e3377997317ceed508fc55e5239c19
SELKS without desktop
  • HTTP: SELKS-5.0beta1-nodesktop.iso
  • MD5sum: 3bfbb8cf626f0f2979f02148c2bad4f5
  • Sha1sum: 80d0b855608ad458781478d1e2e9fd41c56b0c06
  • Sha256sum: 34019555e07e0cf47b3fb1e260f7c0b024553267338f02df8f949a1ef208741f

Usage

You can find the start instruction including the initial setup script usage on SELKS 5.0 wiki page.

SELKS 4 user can upgrade their running systems using the following Upgrade instructions.

Visual tour

Some visuals to give you a glimpse of the things you can do with SELKS.

Scirius landing page - Administer, Hunt, Search, Drill down and filter, Correlate events and FPC

Scirius landing page – Administer, Hunt, Search, Drill down and filter, Correlate events and FPC

21 ready to use Kibana dashboards consisting of over 200 visualizations

21 ready to use Kibana dashboards consisting of over 200 visualizations

Moloch Suricata Plugin

Moloch Suricata Plugin

Moloch and CyberChef navigation, drill down and display

Moloch and CyberChef navigation, drill down and display

TLS GeoIP and sni breakdown

TLS GeoIP and sni breakdown

TLS version and sni

TLS version and sni

TFTP GeoIp and events over time

TFTPGeoIp and events over time

SSH proto fields and geoIP visualizations

SSH proto fields and geoIP visualizations

SMTP Geoip events

SMTP Geoip events

SMB Proto fields

SMB Proto fields

SMB Alert trends

NFS protocol fields visualizations

NFS protocol fields visualizations

KRB5 protocol fields visualizations

KRB5 protocol fields visualizations

KRB5 alerts trending, sources and GeoIP

KRB5 alerts trending, sources and GeoIP

IKEv2 GeoIP and events trending

IKEv2 GeoIP and events trending

IKEv2 protocol fields break down

IKEv2 protocol fields break down

NSM and IDS time series

NSM and IDS time series

Rich HTTP details correlation and FPC

Rich HTTP details correlation and FPC

HTTP protocol data and GeoIP visualizations

HTTP protocol data and GeoIP visualizations

Fileinfo break don by protocols

Fileinfo break don by protocols

DNS protocol visualizations by fields

DNS protocol visualizations by fields

DNS Heat maps

DNS Heat maps

DNP3 event details correlation and FPC

DNP3 event details correlation and FPC

DNP3 protocol fields and sources info

DNP3 protocol fields and sources info

DHCP protocol fields visualizations, events correlation and FPC availability

DHCP protocol fields visualizations, events correlation and FPC availability

Application layer protocols breakdown

Application layer protocols breakdown

Application layer protocols breakdown -2

Application layer protocols breakdown -2

Application layer protocols breakdown -3

Application layer protocols breakdown -3

Per VLAN details and visualizations

Per VLAN details and visualizations

Per alert event details, metadata, correlation and FPC

Per alert event details, metadata, correlation and FPC

Helpful NSM birds eye views and selections

Helpful NSM birds eye views and selections

Alert event break down by protocol and GeoIP visualization

Alert event break down by protocol and GeoIP visualization

TrafficID

TrafficID

Moloch visualizations, easy filtering and drill down

Moloch visualizations, easy filtering and drill down

Moloch per flow/session visualizations, easy filtering and drill down

Moloch per flow/session visualizations, easy filtering and drill down

 

Feedback is welcome

Any feedback as always is greatly appreciated! 🙂

Give us feedback and get help on:

While this test upgrade/installation has been verified and tested please make sure you try it in your test/QA set up first.

Thank you!

 

 

 

 

Following the release of Scirius Community Edition 2.0, Stamus Networks is happy to announce the availability of Scirius Enterprise Edition U29. It is using the ruleset management capabilities of Scirius CE 2.0 so new features such as transformations and public sources are available.

This release continues on the redesign of the interface done with Scirius CE. The landing page for the appliances management has been modified to offer a list of appliances with a number of filtering and ordering options.

This list has expandable items so it is easy to get information about one specific probe:

The asynchronous tasks display has also been redesigned with the same consistent approach:

If we have been busy in the design, the U29 release also comes with three exciting new functional features: REST API, VPN based probes and device monitoring dashboards.

The REST API is allowing third party application to query and modify the objects defined in scirius:

Applications like SIEM would benefit of that as it will enable powerful integration.

The VPN based probes is a big change as it allows to have probes that can connect to SEE from behind private networks/NAT/Firewalls. There is no need anymore of direct connectivity from Scirius to the probe.

The monitoring dashboard is available for Scirius Enterprise itself and for the managed Stamus Probes. It gives key indicator of the health of the devices:

Feel free to contact us if ever you want more information about our products. We will be happy to set up a demo and answer any of your questions.

Stamus Networks is proud to announce the availability of Scirius Community Edition 2.0. This is the first release of the 2.0 branch that features a brand new user interface and new features such as lateral movement and target transformations. Both modify signatures to improve them. Lateral movement uses an algorithm to enlarge the signature IP address filter to detect attacks in the internal networks. Target transformation implement an other algorithm to add target keyword to signatures thus helping to find and visualize attack paths.

Scirius 2.0.0 now features an automated addition of any of the sources defined in the public ruleset list published by the OISF:

So you can now add to your ruleset a new feed/source in two clicks. That’s really easier compared to the form based method where a series of fields as to be entered. The addition process itself is also faster. The parsing and update time of a ruleset like ET Pro has been improved to be three times faster in this version.

As you may have noticed, Scirius 2.0.0 interface is really different from one from the previous versions:

Scirius is now using the Patternfly framework to provide a consistent interface and usability oriented components. Usability has also been improved by the integration of the documentation in the interface.

On Suricata related side, the most important change is the handling of transformations. Scirius can now modify the signatures through a transformation:

Currently two transformations are available and they aim at making Suricata’s detection capabilities stronger:

Lateral Movement

Lateral movement transformation modifies signatures to have them detect lateral movement. As signatures are often written with the EXTERNAL_NET and HOME_NET variables, this means they won’t match if both sides of a flow are in the HOME_NET. Thus, lateral movements are not detected. This transformation changes EXTERNAL_NET to any to be able to detect lateral movements. Scirius propose per ruleset, per categories and per signature changes. One of the value proposed is auto that use an algorithm that trigger the substitution if the signature verifies some properties.

Target Keyword

The second substitution is the addition of the target keyword donated by Stamus Networks. Available since Suricata 4.0, the target keyword can be used to tell which side of a flow triggering a signature is the target. If this key is present then related events are enhanced to contain the source and target of the attack. Once more the user can choose the value of the option or let Scirius determine what side to use via an algorithm using signature properties.

For the eye candy fans, pktcity is now part of Scirius. This 3D webGL visualization interface is now available as part of the new dashboards:

Finally, for the list addicts, here is Scirius 2.0.0 changelog:

  • Rule transformation with lateral movement and target
  • Support of OISF public sources for easier setup
  • Convert documentation to sphinx and integrate it in interface
  • Rework of interface with Patternfly components
  • Link to Onyphe to get IP informations
  • Rules parsing optimization
  • More dashboards including pktcity webGL visualization
  • Initial REST API to interact with Scirius from outside

Scirius 2.0.0 is available on github. Debian packages for SELKS are also available. Users of Scirius Enterprise Edition will get access to this feature in the upcoming 29 release.

0

This first edition of SELKS 4 is available from Stamus Networks thanks to a great and helpful feedback from our open source community – Thank you! This new major release features a version jump for all the main software stacks. Suricata switches from 3.2 to 4.0, Elastic stack is ugpraded from 2.5 to 5.5 and even Debian is now Stretch, the latest stable release.

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

This is a major new release featuring all components upgrade and of course latest Suricata.

New Features

  • Suricata IDS/IPS/NSM 4.0.x – latest Suricata packaged with Hyperscan enabled for extra performance boost. The latest edition of Suricata among many fixes and improvements includes:
    • extra alert data like for example http body added to the alert json logs wherever available
    • protocol renegociation which means STARTTLS and CONNECT support
  • Major upgrade from Elasticsearch/Kibana/Logtsash (ELK) 2.x to the ELK 5 stack making available a ton of new features and enhancements.
  • Scirius 1.2.4 – bugfixes, better correlation capability with EveBox and introduction of IPS rules support.
  • Evebox – many new features including reporting and comments on the log events.
  • Debian Stretch – All new OS features, kernel and tools.

As always – as a Stamus Networks extra sauce the latest stable kernel (4.12.8 at the time of this writing) is available for install if you wish.

Download

To download SELKS 4:

  • SELKS with desktop: Torrent, HTTP (MD5sum: 70783e4d441932103c3410c0b778b401)
  • SELKS without desktop: Torrent, HTTP (MD5sum: 335e31cd2b3a864f432c7d57efe007cd)

Usage

To remotely access the web management interface :

  • https://your.selks.IP.here/ – Scirius ruleset management and a central point for all dashboards and EveBox alert and event management.

Usage and logon credentials (OS and web management user)

  • user: selks-user
  • password: selks-user (password in Live mode is live)

The default root password is StamusNetworks

Visual tour

Some visuals to give you a glimpse of the things you can do with SELKS.

Scirius – ruleset manager and dashboard central management console.

Scirius – rule availability by ruleset information.

Scirius- “google” search your rules

Dashboards – mail attachments

Dashboards – mail application supplemental info

Dashboards – DNS geoip heat map

Dashboards – VLAN supplemental info

Dashboards – availability of full events correlation via EveBox and Scirius

Dashboards – extra http data for better visibility.

Dashboards – ssh data available for drill/break downs as well.

Dashboards – dns events at a glance

Dashboards – alert supplemental log information.

EveBox reporting

Dashboards – valuable break down of alert data information.

Dashboards – break down of http user agents that have generated alerts

EveBox – alert comments availability.

 

 

Howto

Upgrade from SELKS 3

To upgrade your existing SELKS 3 to SELKS 4 preview, please refer to SELKS-3.0-to-SELKS-4.0-upgrades wiki page.

Create your own ISO

SELKS 4 is available for download ready to use (as explained at the beginning of the article).

However – if you want to you can create and/or customize your own SELKS 4 ISO

Once installed
  • Please refer to Initial Setup section of the documentation
  • Keep your SELKS up to date
  • Recommended initial set up for SELKS 4.0 is 2CPUs 5-6Gb RAM
  • If you need to reset/reload all the dashboards  – you can do like so
    • In Scirius on the top left corner drop down menu select System Settings
    • click on the Kibana tab
    • choose Reset SN dashboards

Feedback is welcome

Any feedback as always is greatly appreciated! 🙂

Give us feedback and get help on:

Thank you!

0

Suricata 4.0 is out and this switch from 3.x to 4.x is not marketing driven because the changes are really important. This post is not exhaustive on changes. It is Stamus Networks’ take on some of the important changes that have been introduced in this version.

Rust addition

This is the big step forward on the technology side. Suricata is written in C language. This gives performances and a good control over memory. But it goes with a series of well known problems. I name here buffer overflows, use after free, …

And the worse is that Suricata is parsing traffic content which is a kind of vice supercharged user input. If one should not trust user input, guess how careful we should be with network traffic. At Suricon 2016, Pierre Chifflier did present a proof of concept implementation of protocol parsers in Rust. The idea is to use the property of Rust that has been designed to avoid complete class of attacks on memory handling. But there is more in the approach as the implementation is using Nom which is a Rust parser combinator framework. It allows you to write protocol parser easily and in a reusable way. Thus the addition of Rust is two things at the same time: more security and easier code. Which means a lot of new protocols should be added in the near future.

Suricata 4.0 Rust support comes with NFS, DNS and NTP. NTP support is implemented via an external crate (read library): ntp-parser.

As mentioned before, the code uses Nom and the syntax is very different from traditional code. For instance, here is the code of ntp-parser parsing NTP extension:

named!(pub parse_ntp_extension,
    do_parse!(
           ty: be_u16
        >> len: be_u16 // len includes the padding
        >> data: take!(len)
        >> (
            NtpExtension{
                field_type:ty,
                length:len,
                value:data,
            }
        ))
);

This define a parsing function that read the stream of data. The code says, take 16 bits, store them as unsigned integer in ty. Then store the next 16 bits as unsigned integer in len. Then store in data a chunck of data of length len. And with that build a NTP extension structure. If the writing is concise and efficient, the best thing with Nom is under the hood. Nom is taking care of detecting the invalidities. For instance we could have a chunck of data of length 50, and len being set to 1000 (remember Heartbleed ?). Nom will see that there is not enough data available in the chunck and return it wants more data.

Better alerts

As you may know, the preferred output of Suricata is the EVE JSON format. It is flexible, easy to extend and easy to read by human and tools. Suricata 4.0 is introducing some major changes here:

  • ‘vars’ extraction mechanism
  • The new target keyword
  • HTTP bodies logging
HTTP body output

Suricata is able to uncompressed HTTP body on the fly and match on the uncompressed content. This means that if you get the payload of the stream triggering the alert in your event, you will just see compression noise and won’t be able to analyze why the alert was triggered. Suricata is now able to include the HTTP bodies in the alert. The analyst can then directly see from the event the content that did trigger the alert.

The following event shows how payload_printable is completely compression noise and the http_response_body_printable is readable:

Target keyword

The new target keyword is a fix on a very old problem. It is not possible to know in an alert event which side of the source or destination is the target of the attack. This is a problem as it is not possible to automate things due to that lack of information. The target keyword allow the rules writer to specify which is side is the target. Doing so automated analysis and better visualization can be made.

Usage is simple, signature has to contain the target keyword with value dest_ip or src_ip. For example, in a simple scan alert we have:

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET POLICY Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; target: dest_ip; sid:2010937; rev:2;)

If target is present in a signature, the alert is added an alert.source and alert.target field:

For example, on a visualization where node are IP address and links are alerts between the two, we can get an idea of the possible compromised path. With the target addition, we can switch from a non oriented graph:

To an oriented graph that show which paths were really possible:

If you know French, you can learn more about this subject with Eric Leblond’s talk at SSTIC 2017.

Vars extraction

This is one of the most expected feature of Suricata 4.0. This has been described by Victor Julien in an extensive blog post. The concept is to be able to define in signature data to extract and store them in a key value form. There is a lot of possible usage ranging from application version extraction to getting exfiltred data. For example, let’s consider there is a domain we are interested in. One interesting information is the list of email addresses where mail are sent to. To do so we can use the following signature:

alert smtp any any -> any any (msg:"Mail to stamus"; content:"rcpt to|3A|"; nocase; content:"stamus-networks.com"; within: 200; fast_pattern; pcre:"/^RCPT TO\x3a\s*<([\w-\.]+@stamus-networks.com)>/ism pkt:email"; flow:established,to_server; sid:1; rev:1;)

The magix here is the groupe in the regular expression ([\w-\.]+@stamus-networks.com) that is save in a packet var named email by the pkt:email in the regular expression definition.

Using that signature we get this kind of alerts:

The key point here is the vars sub object:

  "vars": {
    "pktvars": [
      {
        "email": "eleblond@stamus-networks.com"
      }
    ]
  },

We have an extraction of the data and this can be easily search by tool like Elasticsearch or Splunk.

Conclusion

Suricata 4.0 is really an important milestone for the project. Introduction of Rust is opening a really interesting path. The alerts improvement may change the way signatures are written and it will help to provide really accurate information to the analysts.

Suricata 4.0 is already available in SELKS and it will be available in Stamus Probe by the end of August. To conclude on a personal note, we, Stamus Networks, are really happy to have contributed to this release with features such as via HTTP body logging and target keyword.

0

After a very valuable round of testing and feedback from the community  we are pleased to announce the SELKS 4 RC1 availability.

SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

This is a the release candidate of a new major branch with an updated storage visualization stack and latest Suricata.

New Features

  • Suricata IDS/IPS/NSM 4.0.x – latest git master Suricata packaged with Hyperscan enabled for extra performance boost. This edition of Suricata besides many improvements and bug fixes also includes extra alert data like for example http body added to the alert json logs wherever available.
  • Elasticsearch 5.5.0  – part of the ELK5 stack upgrade making available a ton of new features and enhancements.
  • Logstash 5.5.0 – performance improvement over 2.x and ES5 compatibility.
  • Kibana 5.5.0 – taking advantage of the latest dashboarding features of ES.
  • Scirius 1.2.2 – bugfixes, better correlation capability with EveBox and introduction of IPS rules support.
  • Evebox – many new features including reporting and comments on the log events.
  • Debian Stretch – All new features, kernel and tools.

EveBox

Alert event with a comment field.

Kibana

Verbose HTTP logging

Kibana

GeoIP heat maps

EveBox

Supplemental alert data logging

 

Download

To download SELKS4-RC1:

Usage

Usage and logon credentials (OS and web management user)

  • user: selks-user
  • password: selks-user (password in Live mode is live)

The default root password is StamusNetworks

To remotely access the web management interface :

  • https://your.selks.IP.here/ – Scirius ruleset management and a central point for all dashboards and EveBox alert and event management.

Howto

Upgrade

To upgrade your existing SELKS 3 to SELKS 4 preview, please refer to SELKS-3.0-to-SELKS-4.0-upgrades wiki page.

It is recommended to follow the onscreen instructions and if needed answer “yes” to all changes. At the end of the upgrade you will be asked to enter the interface that you will use for IDS/sniffing. Please enter (eth0 for example) the interface name and reboot when the script is done.

Create your own ISO

To create your own SELKS 4 preview ISO (if your host OS is Jessie):

git clone https://github.com/StamusNetworks/SELKS.git
git checkout SELKS4-dev
./install-deps.sh
cd /usr/share/live/build/data/debian-cd/ && ln -s squeeze stretch
./build-debian-live.sh

It will take probably 30-40 min and you should end up with the SELKS.iso under the Stamus-Live-Build folder.

Once installed/upgraded
  • Please feel free to choose the IDS sniffing/listening interface either via the desktop icon Setup-IDS-Interface or via the cmd calling /opt/selks/Scripts/Setup/setup-selks-ids-interface.sh
  • Any further upgrades are done via a wrapper script located in /opt/selks/Scripts/Setup/selks-upgrade_stamus.sh
  • Recommended set up for SELKS 4.0RC1 is 2CPUs 5-6Gb RAM
  • If you need to reset/reload all the dashboards  – you can do like so
    • In Scirius on the top left corner drop down menu select System Settings
    • click on the Kibana tab
    • choose Reset SN dashboards

Feedback is welcome

Give us feedback and get help on:

While this test upgrade/installation has been verified and tested and aims at upgrading your current SELKS 3.0 to  SELKS 4.0RC1 please make sure you try it in your test/QA set up first and give us any feedback.

Thank you!

Stamus Networks is proud to announce the availability of Scirius 1.2.0. This release of our Suricata ruleset management interface comes after 4 months of development bringing two new major features: rules transformations to manage IPS and users activity logging to ease collaboration.

Rules transformation

With rules transformations, Scirius can now manage Suricata in IPS mode but also add the filestore option to specific rules allowing the user to transform existing rules coming from feed in rules realizing file extraction.

A signature can be transformed per ruleset to a drop or reject rule as shown in the following capture:

The filestore transformation will trigger file extraction by Suricata in case of alert. This allows user to have file extraction without the need of cloning existing rules.

User activity logging

The second big new feature is user activity logging. It is now possible to comment actions. A team collaboring on the same Scirius can now comment actions such as disabling a rule or adding a threshold.

It is also possible to simply comment on a rule.

All these features are already available in Scirius Enterprise and Amsterdam and will be available in SELKS in the coming days.