Our Blog

SELKS 1.0 beta2 is available

0
By Posted on 2014-06-18 in Announces

Stamus Networks is proud to announce the release of SELKS 1.0 beta2. This is the second public release of our Live and installable ISO implementing a ready to use Suricata IDS/IPS.

Screenshot from 2014-05-22 10:14:38

SELKS 1.0 beta2 can be downloaded:

MD5 sum of the SELKS-1.0beta2.iso file is 38222aeda399f7502913c91465ac9499.

If this new release features some improvements in the creation process, the main new things for the user are an updated version of Scirius and a custom Kibana interface. A menu to switch from one interface to the other has been added on both application. A link has been added in the detail of alert event to be able to jump from Kibana to the correct place in Scirius rule management. The following screencast demonstrates these features:

On Suricata side, file extraction and Unix socket are now enable by default. So SELKS 1.0-beta2 will extract to disk files from stream if signatures containing the filestore are used. The activation of Unix socket allows user to get data from Suricata and/or to use alternate running modes like multiple pcap processing.

The complete Changelog is as follows:

  • bump ES to 1.2.1
  • suricata: enable file extraction
  • kibana: use stamus version
  • suricata: enable unix-socket
  • scirius: remove unused files
  • build: add capability to add option to lb config
  • scirius: use new command to build default ruleset (Fix Issue 1)
  • scirius: use version 0.4
  • doc: update links on desktop README

Scirius on Ubuntu LTS

0
By Posted on 2014-05-20 in Tutorials

The Ubuntu used in this tutorial:

root@LTS-64-1:~/opt#uname -a
Linux LTS-64-1 3.5.0-45-generic #68~precise1-Ubuntu SMP Wed Dec 4 16:18:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

If you have these packages installed you need to remove them so that Scirius would work with the latest python dependencies.
Please be careful so that this actually does not affect your current running services. It is always best to test first 🙂

root@LTS-64-1:~/opt#apt-get remove django-tables python-django python-django-south python-git

Install the needed dependencies:

root@LTS-64-1:~/opt#aptitude install python-pip git
root@LTS-64-1:~/opt#pip install django django-tables2 South GitPython pyinotify daemon

Clone the latest version

root@LTS-64-1:~/opt#git clone https://github.com/StamusNetworks/scirius.git
root@LTS-64-1:~/opt#cd scirius/
root@LTS-64-1:~/opt/scirius# python manage.py syncdb

Start Scirius

root@LTS-64-1:~/opt/scirius#python manage.py runserver
Validating models…
Failed to setup thread-interrupt handler. This is usually not critical
0 errors found
May 20, 2014 – 19:51:27
Django version 1.6.4, using settings ‘scirius.settings’
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

If you need to connect to the server remotely (provide your ip)  –

root@LTS-64-1:~/opt/scirius#python manage.py runserver 10.0.10.5:8000
Validating models…
Failed to setup thread-interrupt handler. This is usually not critical
0 errors found
May 20, 2014 – 19:51:58
Django version 1.6.4, using settings ‘scirius.settings’
Starting development server at http://10.0.10.5:8000/
Quit the server with CONTROL-C.

Now lets have a walk through registering and adding a ruleset

For example (for the latest stable and dev Suricata) from  http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz since Emerging Threats create, write and distribute specially tuned for Suricata rulesets that make  use of the advanced features of that IDS engine.

First we need to add a source:AddRuleset-1

AddRuleset-0

 

Then we add a ruleset:

 

AddRuleset-2

We need to edit the ruleset and select the categories we want from that ruleset:

 

AddRuleset-3

 

AddRuleset-4

Select categories:

AddRuleset-5

Validate changes:

AddRuleset-6
If you have already Elasticsearch, Logstash, Kibana installed on the same server,
you could do the following -> put in the values as on the picture – except the host name – chose the hostname to be exactly as your hostkey in Elasticsearch/Kibana , like in the pics below.

 

hostkey1 hostkey2

 

Then in Scirius ->

CreatingSuricata-1 CreatingSuricata-2

 

Now you should be able to see the hits and which rules are making the most noise 🙂

That’s it for a quick intro.

 

Announcing Scirius v0.3

0
By Posted on 2014-05-20 in Announces

Stamus Networks is proud to announce the release 0.3 of Scirius, our web interface for Suricata ruleset management.

The interface has been redesigned for more compacity and clarity:
Screenshot from 2014-05-19 11:21:00

Two major features have been added:

  • Support of local rules: User can now upload rules contained in an archive
  • Fast suppression of rules: two clicks are enough to suppress one rule

It is now also possible to select the time period selection on rules activity:

Screenshot from 2014-05-19 11:28:07

 

Please note, the rules with sid 220029 on the screenshot. It is displayed strikethrough because it has been suppressed from the ruleset.

Here’s a screencast showing how easy it is to suppress a noisy rule from a ruleset:

With all these new features, we think that Scirius can now be efficiently used to administrate a Suricata ruleset.

Stamus Networks is happy to release Scirius as Open Source Software under GPLv3. You can download it from GitHub : scirius-0.3.tar.gz.

 

 

Announcing Scirius v0.1

0
By Posted on 2014-05-06 in Announces

Stamus Networks is proud to announce the first release of Scirius, its Suricata ruleset web management interface.

Scirius is a web management interface developed by Stamus Networks and released under the GPLv3 license. The interface is aiming simplicity and efficiency and that’s why we have adopted a simple design:

Screenshot from 2014-05-03 11:25:06

It is possible to link Scirius with a running Elasticsearch fed by Suricata EVE JSON log. Once done, information stored in the Elasticsearch can be used to get an idea of the activity of the Suricata. The following screenshot is an example of statistics fetched from Elasticsearch and displayed in Scirius:

Rules activity

Scirius is currently in alpha stage but it is already possible to manage efficiently a Suricata ruleset using ETOpen or ETPro ruleset. For example, the following video is demonstrating how it is possible to remove a selected subset of signatures from the ruleset:

Scirius is available on Github. Following releases of Scirius will feature among other things the support for local signatures (uploaded by the user) and some missing operations such as quick removal of individual signature.

Eric Leblond’s talk at HES2014

0
By Posted on 2014-04-28 in Conferences

I’ve given a talk entitled “Suricata 2.0, Netfilter and the PRC” at the Hackito Ergo Sum conference.

The talk is presenting Suricata and the new features available in version 2.0, focusing on the new EVE output and how it can be used with Elasticsearch, Logstash and Kibana. I’ve also shown how ulogd, the Netfilter logging daemon can be used with Elasticsearch thanks to the new JSON output plugin. Finally, I’ve explained how I’ve discovered a attack schema which is originating from systems running in the People Republic of China.

You can get the slides here: Suricata 2.0, Netfilter and the PRC

Stamus Networks technical blog

0
By Posted on 2014-04-06 in Announces

This is the first blog post on Stamus Networks technical blog. You will find here posts focused on Intrusion Detection System and Network Security Monitoring as well as information specific to Suricata or our products.

About this blog

Stamus Networks believes that information sharing is necessary to improve the global security level. The purpose of this blog is to share our experiences and experiments.

RECENT POSTS

CATEGORIES

ARCHIVES