Category: Defensive Security
-
Wazuh: When things go wrong
Wazuh is a great EDR (Endpoint Detection and Response) system. It’s free, easy to setup, which I’ve covered in another post: When things go wrong You may set up a wazuh server, and forget about it. Or perhaps you’ve lost track of it and get it back online only to discover the UI isn’t loading.…
-
Wazuh Install and Maintenance
To date I’ve installed Wazuh three different ways: Beyond the core install there is also the email setup and some maintenance elements that must be completed: namely configuring the index lifecycle. Without adjusting a regular deletion of indexes as they reach an age limit, the hard disk will become filled over time. All this will…
-
Security Setup at work, home or to learn
There are a lot of tools for security. Tools that get the most attention are perhaps offensive ones, but defensive tools and skillsets are very much needed. In this article, I wanted to mention the security measures that I would put in place if I were to jump into a team that had little to…
-
![EDR [WAZUH]](https://ffe4.org/wp-content/uploads/2024/03/edr3-scaled.jpg)
EDR [WAZUH]
EDR (Endpoint Detection and Response) is a valuable security layer. While Antivirus protects the system against known threats (in theory), and an IDS (Intrusion Detection System) protects a network against threats, the EDR monitors known endpoints (computer, server, etc.) in a network. The EDR installs an agent on each device in the network and relays…
-
GVM – Package Scanning
According to the GVM documentation, when you set up a scanner you can add credentials and escalated privileges. The purpose of these credentials, is to allow administrative/root access to a machine, in order to scan the installed packages. Version information of all installed packages is then cross referenced to know CVE’s. The result is a…
-
ElastAlert2 To Process ELK Notifications
Yelp created a repository to aid in the processing of notifications via ELK logs. This repo went dormant, but another fork of it ElastAlert2 has replaced it. For me, this is personally an amazing application. I can get notifications, without having to buy into a commercial license. Setup Source: https://elastalert2.readthedocs.io/en/latest/running_elastalert.html#as-a-python-package It requires Python 3.11+ If…
-
ELK: Creating a HTTP Status Code Graph
Having a graph showing HTTP Status codes over time is incredibly useful. A stacked bar graph can show an increase or decrease in one status code (such as 500 level), providing extreme usefulness at a glance. Consider the graph depicted at top of this article. We’re going to make that, but we’ll need access to…
-
Elastic’s Pricing Problem
I really love Elastic and their product lineup. They have some amazing options and the fact you can get started for FREE is a very strong plus. As a SIEM, the ELK stack (Elastic, Logstash, Kibana) is snappy, responsive, and consistent. Once I setup the index rotation I never have a problem with stability. But…
-
OSINT Toolkit
Developer dev-lu has created a web application called the “OSINT Toolkit.” While I feel the name is a mismatch to its functionality, this is still a very useful little application. With a tiny modification in the docker-compose.yml, it can be stood up on a server and used to investigate potential threats. It’s also very light-weight.…
-
Elastic: Managing Memory
When I first stood up ELK on my home server, and later at the office on a VM, it didn’t dawn on me the impact of memory. While my work situation needed more memory, for more processing, my home environment was getting pummeled by the 50% memory consumption. According to Elastic documentation, their use of…