Hi,

Is it possible to get automated alerts and summary through emails?

What I am after is:

1. Daily/Weekly/Monthly Summary
   and
2. Ad-Hoc email for specific alerts

Daily/Weekly/Monthly Summary Similar to what other NSM offers (happy to provide a copy) it would be useful to get a regular email to display info such as: Total number of High/Medium/Low alerts Top 10 Alerts with count Top 10 Source address for those alerts Top 10 Destination for the alerts
As plain text would be enough.
The "cherry on the top" would be to also include the timeline graph, so it gives you an idea of when those alert did take place in the day/week/month.

I found this useful as once your NSM is all setup nicely, you can kind of forget about it... and just check that daily email to see what were the top 10 alerts. If for example you see an alert related to a Windows EXE installation file and you have actually updated your windows server that day, then you know you can ignore it.... on the other hand if there was no update that might be the reason to connect to your SELKS environment and investigate further.

Ad-Hoc email for specific alert It would be really helpful if you could set an email alert if a specific security alert (Suricata ID) occurs. Look at this scenario (which happened to me!):
You get an alert that keep recurring at random time, coming from a phone device, claiming there is a Kazaa download
You only find that alert when you connect to your NSM, you identify the device, check the device and there is nothing on it that should be running Kazaa!!
Everytime you see the alert in your NSM, it is too late, the user doesnt remember exactly what he did 2h ago.
Instead, you setup an email alert that sends you an email as soon as the suricata rule is triggered on that specific event.
This time you receive the alert within a minute of the event occuring, you contact the user, who tells you he is currently using Skype... through a bit more troubelshooting you can find out that it is a false positive and that in fact Skype traffic can sometimes be confused for Kazaa traffic.
Thanks,
B.

The flow from Kibana to Scirius works great, you see an alert in Kibana, drill down and eventually ends up in Scirius to see the Suricata Alert. Perfect.

But the other way round is not so perfect.

It is great how Scirius has all those graphs, so you can look at your overall Circle graph from the last x hours and drill down into that graph, you select a category of alerts and can see the details of the Security rule as well as a timeline when that specific rule was triggered and ... that's it!
What is missing is a link back to Kibana so you can see what IP triggered those alerts (would also be great to have that info in Scirius)

At the moment the flow seems to only works one way down (from Kibana to Scirius) and it would be great to have a two way flow!

Thanks.
B.

The drop down tab (upper leftmost corner) in beta1 displays maximum of 10 dashboards. If there are more than 10 - they will not be displayed.

Hi,

I selected a rule (2012648) related to a Dropbox Traffic alert and disabled it. I can see it in the top right corner now in the list of disabled rules.
A few issues:
If I click on that rule again, I still get the option to disable the rule. I would have thought this option would have changed to "enable rule" once it is disable?
But fair enough, I then clicked on EDIT from the left menu -> Remove rule from disabled list -> Selected the rule and clicked on the blue button "remove selected rules from disabled rules"
hum... but then nothing happens... if I reload the screen, exit, go back, I still see the rules in the disabled rule list.
So I am guessing this is not normal, but I am unsure of what I have done wrong.

Also, It seems the only option is to disable the rule all together.
Is there a way (please say there is!! :) to be more granular??
I would like to disable that rule on for specific SOURCE or IP address and not for all IP addresses.
Indeed, I dont care if I see a dropbox alert for some of my IP... but coming from certain IP would be a problem!
This is true for many other rules (Tor, Apt-get, etc).

Thanks.
B.

On a small enough line the decoder, stream,dns and such events rules generate a huge amount of alerts.

I am attempting to add the Snort Community Rules as one of my ruleset sources, but I am unable to load them due to this error:

SuspiciousOperation at /rules/source/10/update
Suspect tar file contains a invalid name 'community-rules'
Request Method: GET
Request URL: http://*********:8000/rules/source/10/update
Django Version: 1.8
Exception Type: SuspiciousOperation
Exception Value:
Suspect tar file contains a invalid name 'community-rules'
Exception Location: /var/www/scirius/rules/models.py in handle_rules_in_tar, line 203
Python Executable: /usr/bin/python
Python Version: 2.7.6
Python Path:
['/usr/local/lib/python2.7/dist-packages/git/ext/gitdb',
'/var/www/scirius',
'/usr/local/lib/python2.7/dist-packages/pip-7.0.3-py2.7.egg',
'/usr/lib/python2.7',
'/usr/lib/python2.7/plat-x86_64-linux-gnu',
'/usr/lib/python2.7/lib-tk',
'/usr/lib/python2.7/lib-old',
'/usr/lib/python2.7/lib-dynload',
'/usr/local/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages',
'/usr/local/lib/python2.7/dist-packages/gitdb/ext/smmap']

I would really like to use the Snort rules in addition to of the ET rules (which work fine, btw).

When using KIBANA_PROXY = True in local_settings.py getting:

$ python /usr/local/var/www/scirius/manage.py runserver
/usr/local/lib/python2.7/site-packages/django_tables2/tables.py:175: RemovedInDjango19Warning: SortedDict is deprecated and will be removed in Django 1.9.
  attrs["base_columns"] = SortedDict(parent_columns)

/usr/local/lib/python2.7/site-packages/django_tables2/tables.py:197: RemovedInDjango19Warning: SortedDict is deprecated and will be removed in Django 1.9.
  attrs["base_columns"].update(SortedDict(cols))

Traceback (most recent call last):
  File "/usr/local/var/www/scirius/manage.py", line 10, in <module>
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python2.7/site-packages/django/core/management/__init__.py", line 338, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python2.7/site-packages/django/core/management/__init__.py", line 312, in execute
    django.setup()
  File "/usr/local/lib/python2.7/site-packages/django/__init__.py", line 18, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/usr/local/lib/python2.7/site-packages/django/apps/registry.py", line 89, in populate
    "duplicates: %s" % app_config.label)
django.core.exceptions.ImproperlyConfigured: Application labels aren't unique, duplicates: revproxy

Any ideas how to solve?

To create what is needed to have a working scirius, you need to do in order:

• Create a source
• Create a ruleset
• Create a suricata

This is a bit hard to guess and some warning should be added in the different components if a required dependency is not available.

It would be nice to have some way of auto updating the rules
it shoud

• Download new rules
• Deploy them to suricata

Emergingthreat files can contain rules that are commented. For example:

#Submitted by Joseph Gama
#Good rules, turn them on if you are interested. They are accurate.
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:22;)

It could be interesting to be able to parse them and maybe to add them to disabled rules.

Problem found by @b-u-g-s in StamusNetworks/SELKS#26

When we have alert messages following one problem (ES down, rules invalid) we should stack them instead of erasing the previous entry.

Hi. So I've added all sources I wanted (VRT, Community, EmergingThreats...), Created ruleset and when trying to create new Suricata instance got this when pressed "Submit":

So I can't use scirius..

When I recreated all my rulesets I've switched to suricata tab, entered the correct name, description and output directory like this (without backslash at the end): /usr/local/suricata/rules
without selecting any ruleset and pressed enter and got this:

I've tried to log out and login again many times and every time I'm getting the same(((

Seems like a bug...

The only thing that helped is reinstallation

When adding new source and pressing "Submit" - getting this:

but when pressing "go back" browser button it says that this rule already exists (so it actually creates the rule and after that gives an error...

Hi! Tried to add VRT rules as one of my sources:

Datatype:

Signatures files in tar archive

URI:

https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|44146283d5bb770b010082666768b9c083bfdb02

When pressed Update got this:

Hi,

Would be great if we could also have the list of TOP SOURCE IP and another list of TOP DEST IP when viewing Suricata alerts.
The current view only shows volume over timeline, which is great but does not give enough information.

Thanks.
B.

When accessing URLs like https://scirius.site.inet/rules/ruleset/3/ the request goes to https://scirius.site.inet/rules/ruleset/rules/ruleset/3/
or
https://scirius.tah.insite/rules/source/add/rules/source/3/rules/source/add/rules/source/3/
/accouts/login seems to be affected to

However running Scirius via the integrated webserver it runs fine.

Hi,

Really like the new stats you have added in Scirius.
I was a bit confused at first where to look, and found those stats under the Suricata tab.
Would be nice to also have an hyper link menu to those stats on the LEFT Menu of Scirius showing the Green/Amber/Red status for disk/memory.

Also, is there any info you could provide for some disk related status?

especially if it helps understanding why an indicator gets anything but a green color!
Usage will tell, but I wonder next time I get an amber for memory, will I understand why this happens by looking at the new Suricata Memory stats?
B.

Django 1.7 introduced a few changes. In particular, south application must be removed from the INSTALLED_APPS in settings.py.

See StamusNetworks/SELKS#9 for details.

Hi,

I have created a simple test rule in /etc/suricata/rules/local.rules and added "- local-rules" under "-scirius.rules" in suricata.yaml

The content of /etc/suricata/rules/local.rules is:
alert icmp any any -> any any (msg:"ICMP Test"; classtype:policy-violation; sid:10000001; rev:1;)

It means any pings will generate an alert.
I did a sudo "service suricata restart"
pinged google.com
and I can see alerts in SELKS dashboard OK, (and in fast.log).

The problem is with Scirius.
Problem 1:
If I go to "Suricata" in Scirius I cannot see the alert in "rules activity"

Problem 2:
I can actually see the alert in the pie chart/circle summary of Scirius (how do you call that?! :)
but if I click on it then I am getting the following error, instead of loading the rule:

Page not found (404)
Request Method: GET
Request URL: https://192.168.0.5/rules/rule/pk/10000001/

So I suspect the way I have added my local rule is not the right way? or that I have missed a step so that Scirius can deal with local rules?

Thanks.
B.

When a rulest category is disabled , if you would like to re enable it again - it is not possible.(at least i could not figure out how)

I might have overlooked something - if so - we should update the documentation.

Would be great to see debian packages so scirius could be installed and maintained the same way as the rest of the software.

Hi,

I noticed SELKS ships with Django version 1.6.6, is it tight to Debian Jessie?
I am asking because looking at the Django website to understand a bit more how Scirius is built there is a warning stating that users should upgrade to 1.8.3 due to security issues in older version.

Wondering if we can upgrade to that latest version or if doing so is going to break Scirius?
B.

Hi! I'm running Scirius on os x 10.10.4. Suricata, Elasticsearch, Logstash and Kibana installed from Homebrew. Suricata is working fine but in Scirius in 'System Status' everything is green except of Suricata(it's red). What does that mean and how can I address this?

Also It shows correct Elasticsearch version and cluster name detected as well as status green (which I guess supposed to be a good sign)... But it always shows "Unable to get data from Elasticsearch" message on red background...

And under kibana dashboards says: Failed to get data

Please help. Thank you!

It is needed to be able to upgrade the database for users using django > 1.6

Transfering issue from here: #51
So getting this:

and you saying:

"Ruleset has errors: is Suricata in the binary path of Scirius? Scirius needs to be able to start suricata in testing mode to check validity. You can test this by going to a single rule page, it will display the validity of the rule using the same testing mechanism. If it fails the same way then this should be the mistake."

I've created single rule page and got the same error. My Siricata is still red because of this issue:
#26 :
"There is a bug in suricata when working with BSD-flavored operation systems... Getting Unable to change permission on socket: Invalid argument (22) -- https://redmine.openinfosecfoundation.org/issues/1353
So waiting for fix from openinfo..."

and I still don't have suri reloader rewritten for osx so my scirius is basically doesn't have direct connection with my suricata… I hope to fix it in the future… but I was still able to create my scirius.rules file and manually restart suricata and all worked great.

"Ruleset has errors: is Suricata in the binary path of Scirius?" What do you mean? how can I check this?

I've got this red "Unable to get data from Elasticsearch" message again… I'm using Apache as reverse proxy with ssl between elasticsearch and kibana 4: so the reverse proxy accepts the incoming Elasticsearch requests on port 443 (https) and pushes them to Elasticsearch on port 9200, which is what Elasticsearch is expecting. Part of kibana httpd-vhost:

ProxyRequests off
ProxyPass /elasticsearch/ http://127.0.0.1:9200/

 <Location /elasticsearch/>
  ProxyPassReverse /
  SSLRequireSSL
 </Location>

in kibana configuration I've changed:
kibana.elasticsearch_url = kibana.elasticsearch_url || 'http://localhost:9200';
to
kibana.elasticsearch_url = kibana.elasticsearch_url || 'https://0.0.0.0/elasticsearch';
So now all data from E goes to K4 through SSL tunnel (I believe LOL)

I've tried (in local_settings.py): httpS://0.0.0.0/elasticsearch/ - but Scirius don't want to connect through https…

It would be great to add the possibility of SSL to scirius as another layer of security…

python-dev is a required package but is not noted on the website.

Hello,

I met an error when I wanted to name my ruleset with letter that is not English usual caracter e.g.: "Jeux de règles".

Since there is no way to rename a ruleset (maybe it's an idea :p), deleting and creating a new rule set without any "exotic" caratere work.

This error happend when I want to build rules for Suricata.

UnicodeEncodeError at /suricata/update

'ascii' codec can't encode character u'\xe8' in position 53: ordinal not in range(128)

Request Method:     POST
Request URL:    http://172.16.20.170:8000/suricata/update
Django Version:     1.8
Exception Type:     UnicodeEncodeError
Exception Value:    

'ascii' codec can't encode character u'\xe8' in position 53: ordinal not in range(128)

Exception Location:     /opt/scirius/suricata/models.py in generate, line 55
Python Executable:  /usr/bin/python
Python Version:     2.7.9
Python Path:    

['/usr/local/lib/python2.7/dist-packages/git/ext/gitdb',
 '/opt/scirius',
 '/usr/local/lib/python2.7/dist-packages/pip-7.1.2-py2.7.egg',
 '/usr/lib/python2.7',
 '/usr/lib/python2.7/plat-x86_64-linux-gnu',
 '/usr/lib/python2.7/lib-tk',
 '/usr/lib/python2.7/lib-old',
 '/usr/lib/python2.7/lib-dynload',
 '/usr/local/lib/python2.7/dist-packages',
 '/usr/lib/python2.7/dist-packages',
 '/usr/lib/pymodules/python2.7',
 '/usr/local/lib/python2.7/dist-packages/gitdb/ext/smmap']


Unicode error hint
The string that could not be encoded/decoded was: de règle s

Django seems to use UTF-8, so I don't know why. I didn't dig deeper.

This is my first bug report, please tell me is there a need for more information.

Hi,

I'm doing a clean install from git in a python 2.7 virtualenv on Debian 7.6 and, after troubleshooting rules/models.py errors a bit, figured out that the version of gitpython I installed using pip was incorrect.

pip install gitpython==0.3.1-beta2 worked.

Hi again!
First - I really love this scirius project and want it to work as smooth as possible... Thank you for it!

Second:
When I start server on os x 10.10.4 yosemite getting this warnings in the shell:

$ python /usr/local/var/www/scirius/manage.py runserver
/usr/local/lib/python2.7/site-packages/django_tables2/tables.py:175: RemovedInDjango19Warning: SortedDict is deprecated and will be removed in Django 1.9.
  attrs["base_columns"] = SortedDict(parent_columns)

/usr/local/lib/python2.7/site-packages/django_tables2/tables.py:197: RemovedInDjango19Warning: SortedDict is deprecated and will be removed in Django 1.9.
  attrs["base_columns"].update(SortedDict(cols))

/usr/local/lib/python2.7/site-packages/django_tables2/tables.py:175: RemovedInDjango19Warning: SortedDict is deprecated and will be removed in Django 1.9.
  attrs["base_columns"] = SortedDict(parent_columns)

/usr/local/lib/python2.7/site-packages/django_tables2/tables.py:197: RemovedInDjango19Warning: SortedDict is deprecated and will be removed in Django 1.9.
  attrs["base_columns"].update(SortedDict(cols))

Performing system checks...

System check identified some issues:

WARNINGS:
rules.Category.created_date: (fields.W161) Fixed default value provided.
    HINT: It seems you set a fixed date / time / datetime value as default for this field. This may not be what you want. If you want to have the current date as default, use `django.utils.timezone.now`
rules.SourceAtVersion.updated_date: (fields.W161) Fixed default value provided.
    HINT: It seems you set a fixed date / time / datetime value as default for this field. This may not be what you want. If you want to have the current date as default, use `django.utils.timezone.now`
rules.SourceUpdate.created_date: (fields.W161) Fixed default value provided.
    HINT: It seems you set a fixed date / time / datetime value as default for this field. This may not be what you want. If you want to have the current date as default, use `django.utils.timezone.now`

System check identified 3 issues (0 silenced).
July 07, 2015 - 02:50:30
Django version 1.8.2, using settings 'scirius.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

How to address these issues? Any ideas why am I getting them? Thank you!

Can the system report when rules were disabled through the web interface? This would help to make a more complete changelog.

Hi,
It'd be nice to have scheduling built in for updating the rules from the source and then if the rules update, trigger a update on the ruleset and reload suricata.

Thanks!

After attempting to add suricata in appropriate tab I got
'NoneType' object has no attribute 'suppressed_rules'
error.
Note: this error is persistent - I receive it every time I switch to suricata tab so there's no way to change configuration except for removing and regenerating configuration.

Hello,

I am new to sciruis and I am trying to see my first alert, without any success.
Here is my rule:

alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; sid:1;)

If I issue this command:
cat /etc/suricata/rules/scirius.rules | grep "Test dns_query option"

I do find the alert:
alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; sid:1;)

But, if I do some DNS traffic (ping google or browse to the website), I do not see any alerts... I see the traffic in the eve file (that is a good thing, isn't it?). How could I troubleshoot the problem?

Thank you very much!

Hi,

I did reset my SELKS dataset as instructed in a different issue from this forum.
Since I have done that, I can see new events in Kibana, but none in Scirius!

How can I troubleshoot this?

Thanks.
B.

After attempting to add rules I've got undescriptive "This field is required." error although the only field I can see is "Name" and it is filled.

Note: it might be related to #2

Hi!
Today tried to update my ruleset which contains of Community+VRT+ETO+SSLBL_Abuse.ch rules...
Went to Suricata tab selected Update and pressed Apply and got this error 502:

not sure if it's connected to the problem but when I go to Rulesets tab and click on my actual ruleset, I see this at the bottom:

What does that mean and why can't I update my rules?

MISP is a platform to echange IOCs.
It would be great to have integration with it, more specifically to fetch suricata & snort rules from MISP.

If a rules depends on a flowbits we have to disable the whole set of impacted rules.

Hi,

Just tried to add a user to Scirius: Manage Account -> Add
Username: Report
Password: Password

And I get the following error:

IntegrityError at /accounts/manage/add

NOT NULL constraint failed: auth_user.last_login

Request Method: POST
Request URL: https://192.168.1.183/accounts/manage/add
Django Version: 1.8.3
Exception Type: IntegrityError
Exception Value:

NOT NULL constraint failed: auth_user.last_login

Exception Location: /usr/local/lib/python2.7/dist-packages/django/db/backends/sqlite3/base.py in execute, line 318
Python Executable: /usr/bin/python
Python Version: 2.7.9
Python Path:

['/usr/local/lib/python2.7/dist-packages/git/ext/gitdb',
'/opt/selks/scirius',
'/usr/lib/python2.7',
'/usr/lib/python2.7/plat-x86_64-linux-gnu',
'/usr/lib/python2.7/lib-tk',
'/usr/lib/python2.7/lib-old',
'/usr/lib/python2.7/lib-dynload',
'/usr/local/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages/gtk-2.0',
'/usr/lib/pymodules/python2.7',
'/usr/local/lib/python2.7/dist-packages/gitdb/ext/smmap']

Server time: Mon, 27 Jul 2015 15:08:44 +0000

The feature is required :
(1) A group of sid can be changed from "alert" to "drop" by title, such as "ET MALWARE" or vice versa;
(2) A group of sid can be disabled from "alert" to "#alert" by title, such as "ET MALWARE" or vice versa;
(3) A group of sid can be changed from "alert/#alert" to "drop" by mean of regular expression, such as pcre:Amplification.

Dashboards names are not correct in the dropdown menu if they contain spaces.

"Disk" is red - what does that mean?

When running on SELKS - updating and pushing new rulesets or editions of the rulesets, Scirius restarts Suricata as well.

Thereafter it is required that Logstash is restarted so that the events can start populating the Kibana interface again.

I had the following case reproducible.
When using the update with all options selected under the "Suricata" menu tab in Scirius - the web page times out after 20-30 sec or so.

The update works fine, it is just that the page times out and gives the false impression that something is wrong

A nice feature could be to have a possible to add local rules (local.rules) from the interface

It is currently restarting suricata. If live swap is enable it would be better to signal suricata instead.

It is not mandatory for signature to have revision even if it is highly recommended. So we should support it and not ignore the rules as it is currently the case.

Would be also great to have scirius as a Homebrew package for os x.