-
ELK Dashboards for Load Balancers
Click or not...: ELK Dashboards for Load BalancersWhether you’re using NGINX, HAPROXY or something else, ELK can be a useful tool in creating a dashboard for the log events of your load balancers. While this post is specifically covering load balancers, ELK can be configured for a variety of applications. As long as there are descent data events in the logs, ELK… Read more...
-
Filebeat Custom Field Processing for ELK
Click or not...: Filebeat Custom Field Processing for ELKI had a recent project at work, where I needed to parse a load balancer log. The interesting part of the project was to capture data that was being added to the log. This short post will cover what I did to capture the data and render it in Kibana / ELK. If you have… Read more...
-
SSLSCAN- SSLYZE and IDS
Click or not...: SSLSCAN- SSLYZE and IDSKali Linux comes with some useful SSL/TLS scanners which can help determine misconfigurations and vulnerabilities. Examples Results While sslscan does a great job of returning information on what TLS version and cyphers are accepted (highlighting in orange versions that are outdated), sslyze provides a bit more detail in regards to vulnerabilities. SSLSCAN does provide a… Read more...
-
Timeline Dashboard in Kibana for IDS
Click or not...: Timeline Dashboard in Kibana for IDSThe Dashboard discussed in this project is created with Kibana and is suitable for an IDS feed like Suricata using Filebeat or Logstash. For more information on setting up Suricata as an IDS with ELK (ElasticSearch, Kibana, Logstash, Filebeat), see MY OTHER ARTICLE [LINK]. Dashboard Goal In this article I want to do a quick… Read more...
-
Crontab & Suricata Updates
Click or not...: Crontab & Suricata UpdatesFrom time to time, the Suricata rules you enable will have updates. It’s important to keep Suricata updated with these changes, so the IDS is current with attack vectors. As with antivirus you want to stay up to date with the IDS rules. Normally you would update the rules with a command like: It’s unreasonable… Read more...
-
Detecting Reverse Shells
Click or not...: Detecting Reverse ShellsThe following rules might be useful in detecting reverse shells with Suricata: This rule will alert on incoming TCP traffic from external networks to your internal network containing the string “bash -i >& /dev/tcp/”, which is a common reverse shell. Variations can be implemented, such as /bin/sh or other ideas on passing a shell. Note… Read more...
-
Human Logic
Click or not...: Human LogicOn a personal level I highly value critical and logical thinking in all interactions, and while I may not be a grand example of this, it is my over-arching goal. In this article I wanted to ponder and discuss the qualities of logic that are often missed when people raise opinions. Most often logical errors… Read more...
-
OWASP ZAP: Be Mindful of DOM Level XSS
Click or not...: OWASP ZAP: Be Mindful of DOM Level XSSIn testing some internal projects I came across a problem with ZAP where it ran off the rails, so-to-speak. While I had given ZAP a specific target, when it reached the Active Scan portion, it stated hitting other servers in the system that where not in scope. The test was kicked off using Zap 2.12’s… Read more...
-
Creating a High Severity Suricata Dashboard in ELK
Click or not...: Creating a High Severity Suricata Dashboard in ELKOnce you have your ElasticSearch server running with Kibana, and it’s being fed data from Suricata installs via Filebeat, you can view the data coming in through some default dashboards. Filebeat has two suricata default dashboards, one for alerts and one for events. I like the default Filebeat Suricata dashboards, except that the Alert one… Read more...
-
![Suricata + ELK [Installation]](https://ffe4.org/wp-content/uploads/2023/01/suricata.png)
Suricata + ELK [Installation]
Click or not...: Suricata + ELK [Installation]Technically, this install should be described as: Suricata / Filebeat + ElasticSearch/Kibana but it makes for a poor headline. Architecture In a multi-suricata server environment, the ElasticSearch Server is paired with the Kibana GUI. Individual Suricata installs are setup with Filebeat agents on separate points in the network(s). Filebeat sends each Suricata machine’s log data… Read more...