Category: Defensive Security
-
OpenCTI: A Brief Intro
Another security tool I recently came across, is OpenCTI. OpenCTI is a Cyber Threat Intelligence platform. What that means, is that it crowdsources data from various partners, and visualizes the dynamically changing relationships of these security events. Your own data can be pulled in as well, to find interconnections with data reported from a variety…
-
ELK Migration Woes: PUT values without Kibana
I’ve been upgrading my home ELK stack from from 7.17.* to 8.7.*. In the process I got to a state where elasticsearch was running, filebeat was running, but Kibana was failing. Doing a systemctl status kibana reported something about : cluster.routing.allocation.enable needing to be set to 'All' Looking this up, got me to this ElasticSearch…
-
Timeline Dashboard in Kibana for IDS
The Dashboard discussed in this project is created with Kibana and is suitable for an IDS feed like Suricata using Filebeat or Logstash. For more information on setting up Suricata as an IDS with ELK (ElasticSearch, Kibana, Logstash, Filebeat), see MY OTHER ARTICLE [LINK]. Dashboard Goal In this article I want to do a quick…
-
Crontab & Suricata Updates
From time to time, the Suricata rules you enable will have updates. It’s important to keep Suricata updated with these changes, so the IDS is current with attack vectors. As with antivirus you want to stay up to date with the IDS rules. Normally you would update the rules with a command like: It’s unreasonable…
-
Detecting Reverse Shells
The following rules might be useful in detecting reverse shells with Suricata: This rule will alert on incoming TCP traffic from external networks to your internal network containing the string “bash -i >& /dev/tcp/”, which is a common reverse shell. Variations can be implemented, such as /bin/sh or other ideas on passing a shell. Note…
-
Creating a High Severity Suricata Dashboard in ELK
Once you have your ElasticSearch server running with Kibana, and it’s being fed data from Suricata installs via Filebeat, you can view the data coming in through some default dashboards. Filebeat has two suricata default dashboards, one for alerts and one for events. I like the default Filebeat Suricata dashboards, except that the Alert one…
-
![Suricata + ELK [Installation]](https://ffe4.org/wp-content/uploads/2023/01/suricata.png)
Suricata + ELK [Installation]
Technically, this install should be described as: Suricata / Filebeat + ElasticSearch/Kibana but it makes for a poor headline. Architecture In a multi-suricata server environment, the ElasticSearch Server is paired with the Kibana GUI. Individual Suricata installs are setup with Filebeat agents on separate points in the network(s). Filebeat sends each Suricata machine’s log data…