Comments (7)
@dmaynor that would be really specific to your setup, but you could create an alarm to correlate the information (we're currently working on a modular alarm system).
You can check the maindev branch in elkserver\docker\redelk-base\redelkinstalldata\scripts\modules
for examples.
Basically, you could search in rtops and redirtraffic for elements that have been seen in your suricata index.
from redelk.
Interesting idea. So if I understand you correctly you would like to have the logs from Suricata ingested and accessible via the Kibana interface of RedELK?
I have no recent practical experience with Suricata. Where does it store the logs, and in what format? Got any example logs?
from redelk.
You could try the filebeat module for suricata: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-suricata.html
from redelk.
That is what I am doing. I can contribute my suricata and file beat config if it would be helpful.
from redelk.
Interesting idea. So if I understand you correctly you would like to have the logs from Suricata ingested and accessible via the Kibana interface of RedELK?
I have no recent practical experience with Suricata. Where does it store the logs, and in what format? Got any example logs?
They are generally in /var/log/suricata/.
vagrant@logger:/var/log/suricata$ ls -lrth
total 96K
drwxr-xr-x 2 root root 4.0K Oct 8 18:08 files
drwxr-xr-x 2 root root 4.0K Oct 8 18:08 core
drwxr-xr-x 2 root root 4.0K Oct 8 18:08 certs
-rw-r--r-- 1 root root 0 Oct 28 16:52 fast.log
-rw-r--r-- 1 root root 12K Oct 28 16:53 stats.log
-rw-r--r-- 1 root root 46K Oct 28 16:53 eve.json
-rw-r--r-- 1 root root 19K Oct 28 16:53 suricata.log
-rw-r--r-- 1 root root 1.5K Oct 28 16:53 suricata-start.log
vagrant@logger:/var/log/suricata$
This is what a fresh install from deb looks like. The config file is in /etc/suricata/suricata.yaml. Normally in a config you define your "home" network. This helps with rule processing to detect attacks targeting your network. For this I put my target as the home, that way I get logs that would show me what a hunter would see. An example from my setup:
vars:
address-groups:
HOME_NET: "[10.10.10.0/24]"
#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"29.36
This is from a setup I use for Hackthebox. Their target boxes are mostly in the 10.10.10x range.
Back to /var/log/suricata. The 3 main files are eve.json,, fast.log, suricata,log. These are logs of me doing nmap -A against a HTB box with an IP of 10.129.29.36.
-fast.log will be a single line of an event that fires.
-suricata.log holds info about the operations of suricata like start/stop/etc.
-eve.json is a catch all file for everything in a json format. This isn't just alerts it all logs stats, flow information, pretty much anything you can imagine and configure in suricata.yaml.
I use filebeat now to copy eve.json. Filebeat has a suricata module: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-suricata.html
I am happy to share anything I am doing or even give access tot he VM image I am running. What I am not aware of is how it could correlate with other data you are ingesting. I attached a zip of the files I mention as examples.
suricata.tar.gz
from redelk.
My hope is to highlight better redteam tradecraft for all users. If your own redelk instance is flagging your traffic then you have a 50/50 chance a blue team will as well.
from redelk.
Closing due to inactivity and other priorities, feel free to re-open if still relevant
from redelk.
Related Issues (20)
- Help with install HOT 1
- Performance issue with rsync on C2server HOT 1
- Glibc filebeat errors HOT 1
- Implant.log_file not showing c2logs HOT 1
- Issue with dashboards missing "keyword" HOT 2
- Add mising modules in config.py
- Add support for domain lists (similar to IP lists) HOT 1
- Check and clean-up ruby scripts
- Check if all modules in config.py HOT 1
- Check for consistent usage of c2.log.type field HOT 1
- All alarms should report project_name HOT 2
- Greynoise error
- Remove config files from source control HOT 3
- Hybrid Analysis - error handling around max API hits HOT 1
- Hybrid Anlaysis - SSL handshake failure HOT 1
- VT quota management HOT 1
- ES document conflicterrors
- quick dump of small notes and issues
- Cobalt Strike enrichment stacktrace errors
- Add containers to GHCR / Review build pipeline HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from redelk.