Our Blog

Stamus Networks is proud to announce the availability of version 1.0-beta1 of Scirius, our web interface for Suricata ruleset management. This new release is a huge step toward 1.0 release as it contains a lot of new features and improvements. You can download it from Github download page.

The most visible update is the new design of the interface. It has been been completely changed thanks to Bootstrap CSS framework.

Screenshot from 2014-11-12 10:45:55

But the first change for user is that authentication and user management is now by default. Scirius is now multi user and features three level of permissions from read-only to superuser.

Another new feature is the display of graphics in some page. They are using Elasticsearch data. For example, the next screenshot is showing detail of a rule. A graph has been added to show the activity for that specific rules:

Screenshot from 2014-11-12 10:46:46

The interface is now more responsive as asynchronous requests are used to interact with Elasticsearch. This guarantee a responsive interface even if your Elasticsearch is slow.

SELKS user can upgrade to Scirius 1.0-beta1 via apt-get update && apt-get dist-upgrade. Please note that the default user/password on SELKS is selks-user/selks-user. Do not forget to change it after first login.

0

Stamus Networks supports its own generic and standard Debian Wheezy 64 bit packaging repositories for

These repositories provide Debian package for the newest Suricata IDS/IPS , htp releases and newest long-term stable kernel level version. SELKS already includes those repositories under /etc/apt/sources.list.d/selks.list.

You can use as follows:

wget -O – -q http://packages.stamus-networks.com/packages.stamus-networks.com.gpg.key | apt-key add – && \
apt-get update

Then  you can add the following :

deb http://packages.stamus-networks.com/debian/ wheezy main
deb http://packages.stamus-networks.com/debian-kernel/ wheezy main

in /etc/apt/sources.list.d/stamus.list for example.

The repositories contain packages for the long-term stable kernel level version. So if you would like to upgrade to the latest long-term supported kernel you can just do (on Debian):

apt-get update && apt-get upgrade
apt-get install linux-libc-dev linux-headers-3.14.19-stamus linux-image-3.14.19-stamus

 

UpgradeKernel

Kernel Packages

UpgradeKernel2

Kernel Upgrade

UpgradeKernel3

Verification

Those repos are included by default in SELKS.

Anther example:

apt-get install suricata

After giving a talk about malware detection and suricata, Eric Leblond gave a lightning talk to present SELKS at hack.lu conference.

Screenshot from 2014-10-23 13:46:02

You can download the slides here: 2014 hacklu selks

Introduction

SELKS 1.0 is featuring a privacy dashboard. This is a dashboard focusing on HTTP and TLS protocols. The used data source is events generated by Suricata for these two protocols. The goal of this dashboard is to show the different interaction between website. For example, you will see on the following video that opening elysee.fr which is the French president website is triggering the opening of page on Facebook and Google Analytics. This means that both Facebook and Google knows you’ve went to the presidential website.

Setup

The setup of the demonstration is simple as we are connecting to the web on the virtual machine. This has been done because it was easier to record the screencast in that case. But the most interesting setup consists in sniffing the traffic of the physical host from SELKS running on the virtual machine. This way, SELKS will analyse your local traffic and you will be able to see in SELKS all the events coming from your real internet life.

The setup is simple. In Virtualbox, go to the machine details and click on network. Then choose to bridge your physical network interface and allow promiscuous mode on the interface:

Screenshot from 2014-10-19 12:10:43

Demonstration

Watch the following video to discover how this dashboard can be used:

An other way to use this privacy dashboard is to use one of the filter. For instance, if we filter on http.http_refer:"http://www.whitehouse.gov" we get a dashboard containing all HTTP events with a referrer being the US president website. So if you look at the hostname on the following screenshot, you will see that going on whitehouse.gov also lead you to external websites

Whitehouse links

My favorite in this list is www.youtube-nocookie.com but something like cloud.typography.com is really interesting too. Even a website like whitehouse.gov is not anymore hosting is own fonts.

The privacy dashboard is also containing TLS information extracted by Suricata. It lists TLS connections done on well know wesbite such as Facebook, Twitter or Google. For example, we can see that going on CNN cause some TLS hits on Twitter and Facebook.
Screenshot from 2014-10-19 12:00:45
TLS being encrypted we can’t prove this link and that’s the short time frame that stand for a proof of the link between websites.

Conclusion

SELKS privacy dashboard is just an example of what you can achieve in SELKS by using Suricata network security monitoring capabilities. The demonstration shown here is local but don’t forget you can do it at the level of a whole network.

0

Stamus Networks is proud to announce the availability of SELKS 1.0 stable release. SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.

Screenshot from 2014-10-15 21:39:11
You can download SELKS from SELKS main page.

SELKS is comprised of the following major components:

It offers proven, powerful, innovative and scalable open source multi-threading technologies in a bundle.

SELKS 1.0 comes with 10 pre-installed Kibana IDS/NSM dashboards. They cover analysis of the Suricata alerts and events with per-protocol dashboards (Alerts, HTTP, Flow, SSH, TLS,DNS …). Some dashboards are also dedicated to more specific tasks – like the PRIVACY dashboard:
Screenshot from 2014-10-15 21:28:27
It shows privacy related information such as which page are leading to well know personal data providers such as Facebook, Twitter or Google.

SELKS provides Scirius – a rules management interface for Suricata. Scirius has been developed by Stamus Networks to provide interaction with Kibana and Elasticsearch. It displays for example statistics on rules and links to existing Kibana dashboards:
Screenshot from 2014-10-15 21:17:37

Scirius provides up-to-date signatures via EmergingThreats Open (or PRO ) ruleset and SSL abuse.ch signatures
Screenshot from 2014-10-15 21:18:29

Scirius can be upgraded via standard Debian method (apt-get upgrade). Stamus Networks is also determined to provide the latest stable Debian kernel release for SELKS. Upgrade to the latest stable kernel is easy via the package system. For example, it is possible for the user running the installed version to upgrade the kernel to the latest 3.14 version:

kernel-upgrade-3.14.21
Scirius 1.0rc1 can upgrade to the 1.0 version by running apt-get dist-upgrade

The list of provided Kibana dashboards will be augmented in the future and this will be done seamlessly via the Debian packaging system and Kibana autodiscovery:

Kibana-dashboards

We really hope you will enjoy SELKS  an enterprise-grade IDS and Network Security Monitoring system in 30 seconds.

How to and README

Follow us on Twitter, Google+ and Github

Lets talk about SELKS…

0

Stamus Networks is proud to announce the availability of SELKS 1.0 RC1. This is the first release candidate of our live and installable ISO based on Debian implementing a ready to use Suricata IDS/IPS. More about SELKS you could read on our Open Source page.

This release includes major overhaul and improvements:

  • Introducing for the first time the new Stamus Networks package repositories developed especially for SELKS – Kibana, Scirius
  • Update and upgrade all software and SELKS the Debian way (apt-get or aptitude)
  • 9 ready to use out of the box IDS/IPS dashboards
  • Over 150 fields to search,select,filter and easily analyze upon right out of the box
  • Fully enabled logging
  • Suricata 2.1beta1 (adding flow and alert payload logging to the NSM arsenal)
  • Scirius 0.8  (latest release of our graphic Suricata ruleset manager)

A better interface

SELKS 1.0 RC1 comes with preloaded dashboards and a modified version of Kibana:

Dashboards

Screenshot from 2014-09-09 20:44:42
This allows interaction with Scirius, our open-source Suricata ruleset management interface:

Screenshot from 2014-09-09 20:26:15

SELKS 1.0 RC1 contains Suricata 2.1beta1 which brings flow and alert payload logging – available right out of the box on the predefined dashboards:

Screenshot from 2014-09-09 22:45:00

Alert-SELKS-Payload1

Easy upgrade

Stamus is dedicated to provide the latest releases of Suricata, htp and kernel level. That’s why we provide generic Debian packaging for the newest Suricata IDS/IPS , htp releases and newest long-term kernel level version (3.14.18 at the time of this writing).

SELKS comes with a standard Debian Wheezy distribution with 3.2 kernel – if you would like to upgrade to the latest long-term supported kernel you can just do (for example kernel 3.14.18):

apt-get update && apt-get upgrade
apt-get install linux-headers-3.14.18-stamus linux-image-3.14.18-stamus

For everything else you can just do:

apt-get update && apt-get upgrade

As easy as that!

DOWNLOAD SELKS HERE

 

Stamus Networks is proud to announce the availability of the version 0.8 of Scirius, the web management interface for Suricata. This new release contains a lot of new features as well as bug fixes.

On the functional side, the main new features are:

  • Support for content such as IP reputation list
  • Changelog support: display change on sources after update
  • Global search: text search in all objects
  • The changelog on source is really useful to know what signatures have been added or modified:
    Screenshot from 2014-09-03 16:51:18

    The global search is accessible from the top bar in all pages. It allows you to quickly access to the matching objects:
    Screenshot from 2014-09-03 16:53:23

    Among the other features, one can also mention the syntax highlighting for the rule. Rule detail now comes with information about rule status in rulesets and rule stats:
    Screenshot from 2014-09-03 16:36:58

    We hope you will enjoy this new release. As usual it can be downloaded from Github. Happy NIDSing!

Thanks to the EVE JSON events and alerts format that appear in Suricata 2.0, it is now easy to import Suricata generated data into a running Splunk.

To ease the first steps of integration, Stamus Networks is providing a Splunk application: Suricata by Stamus Networks

It can be installed like any other applications and it just requires that a Suricata EVE JSON file is known and parsed by Splunk.

Current version is providing a dashboard and a few searches:

Screenshot from 2014-07-30 15:39:11

This post describes how to import the application and if you don’t have already done it how to import data from a Suricata EVE file.

Importing the application

Importing the application is done via the Apps menu on top of Splunk starting page:

Screenshot from 2014-07-30 15:33:39

Suricata by Stamus Networks application is currently provided as a file, so you need to download it: Suricata by Stamus Networks. Once done, you can add the application:

Screenshot from 2014-07-30 15:33:50

You need to select the file

Screenshot from 2014-07-30 15:34:05

Importing a Suricata EVE JSON file

Since splunk 6.1.x, the recognition of the file format is automatic. If you are using an older version of Splunk, you may need to refer to this page to import Suricata EVE file.

Here’s the detailed procedure to import Suricata EVE data into Splunk. From the starting page, we click on Add Data:

Screenshot from 2014-07-30 15:27:48

Then we click an Files & Directories to tell Splunk to import data from Suricata EVE JSON file:

Screenshot from 2014-07-30 15:28:08

Once done, we click on the New button:

Screenshot from 2014-07-30 15:28:21

Now, we only need to give the complete path to the eve.json file:

Screenshot from 2014-07-30 15:28:47

Once this is done, we just need to click on all Continue buttons to be done.

Using the application

Now, we can go to the application by clicking on Suricata by Stamus Networks:

Screenshot from 2014-07-30 15:34:42

Next step can be to to go the dashboard:

Screenshot from 2014-07-30 15:35:02

The dashboard contains some interesting panels like the following one who displays the destination IP addresses that are using a self-signed certificate for TLS connections:
Screenshot from 2014-07-30 14:37:52

Conclusion

This application should evolve with time, so stay tuned and follow us on twitter for more information.

Stamus Networks is proud to announce the release of SELKS 1.0 beta2. This is the second public release of our Live and installable ISO implementing a ready to use Suricata IDS/IPS.

Screenshot from 2014-05-22 10:14:38

SELKS 1.0 beta2 can be downloaded:

MD5 sum of the SELKS-1.0beta2.iso file is 38222aeda399f7502913c91465ac9499.

If this new release features some improvements in the creation process, the main new things for the user are an updated version of Scirius and a custom Kibana interface. A menu to switch from one interface to the other has been added on both application. A link has been added in the detail of alert event to be able to jump from Kibana to the correct place in Scirius rule management. The following screencast demonstrates these features:

On Suricata side, file extraction and Unix socket are now enable by default. So SELKS 1.0-beta2 will extract to disk files from stream if signatures containing the filestore are used. The activation of Unix socket allows user to get data from Suricata and/or to use alternate running modes like multiple pcap processing.

The complete Changelog is as follows:

  • bump ES to 1.2.1
  • suricata: enable file extraction
  • kibana: use stamus version
  • suricata: enable unix-socket
  • scirius: remove unused files
  • build: add capability to add option to lb config
  • scirius: use new command to build default ruleset (Fix Issue 1)
  • scirius: use version 0.4
  • doc: update links on desktop README
0

The Ubuntu used in this tutorial:

root@LTS-64-1:~/opt#uname -a
Linux LTS-64-1 3.5.0-45-generic #68~precise1-Ubuntu SMP Wed Dec 4 16:18:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

If you have these packages installed you need to remove them so that Scirius would work with the latest python dependencies.
Please be careful so that this actually does not affect your current running services. It is always best to test first 🙂

root@LTS-64-1:~/opt#apt-get remove django-tables python-django python-django-south python-git

Install the needed dependencies:

root@LTS-64-1:~/opt#aptitude install python-pip git
root@LTS-64-1:~/opt#pip install django django-tables2 South GitPython pyinotify daemon

Clone the latest version

root@LTS-64-1:~/opt#git clone https://github.com/StamusNetworks/scirius.git
root@LTS-64-1:~/opt#cd scirius/
root@LTS-64-1:~/opt/scirius# python manage.py syncdb

Start Scirius

root@LTS-64-1:~/opt/scirius#python manage.py runserver
Validating models…
Failed to setup thread-interrupt handler. This is usually not critical
0 errors found
May 20, 2014 – 19:51:27
Django version 1.6.4, using settings ‘scirius.settings’
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

If you need to connect to the server remotely (provide your ip)  –

root@LTS-64-1:~/opt/scirius#python manage.py runserver 10.0.10.5:8000
Validating models…
Failed to setup thread-interrupt handler. This is usually not critical
0 errors found
May 20, 2014 – 19:51:58
Django version 1.6.4, using settings ‘scirius.settings’
Starting development server at http://10.0.10.5:8000/
Quit the server with CONTROL-C.

Now lets have a walk through registering and adding a ruleset

For example (for the latest stable and dev Suricata) from  http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz since Emerging Threats create, write and distribute specially tuned for Suricata rulesets that make  use of the advanced features of that IDS engine.

First we need to add a source:AddRuleset-1

AddRuleset-0

 

Then we add a ruleset:

 

AddRuleset-2

We need to edit the ruleset and select the categories we want from that ruleset:

 

AddRuleset-3

 

AddRuleset-4

Select categories:

AddRuleset-5

Validate changes:

AddRuleset-6
If you have already Elasticsearch, Logstash, Kibana installed on the same server,
you could do the following -> put in the values as on the picture – except the host name – chose the hostname to be exactly as your hostkey in Elasticsearch/Kibana , like in the pics below.

 

hostkey1 hostkey2

 

Then in Scirius ->

CreatingSuricata-1 CreatingSuricata-2

 

Now you should be able to see the hits and which rules are making the most noise 🙂

That’s it for a quick intro.