Tag: suricata
-
Crontab & Suricata Updates
From time to time, the Suricata rules you enable will have updates. It’s important to keep Suricata updated with these changes, so the IDS is current with attack vectors. As with antivirus you want to stay up to date with the IDS rules. Normally you would update the rules with a command like: It’s unreasonable…
-
Detecting Reverse Shells
The following rules might be useful in detecting reverse shells with Suricata: This rule will alert on incoming TCP traffic from external networks to your internal network containing the string “bash -i >& /dev/tcp/”, which is a common reverse shell. Variations can be implemented, such as /bin/sh or other ideas on passing a shell. Note…
-
Creating a High Severity Suricata Dashboard in ELK
Once you have your ElasticSearch server running with Kibana, and it’s being fed data from Suricata installs via Filebeat, you can view the data coming in through some default dashboards. Filebeat has two suricata default dashboards, one for alerts and one for events. I like the default Filebeat Suricata dashboards, except that the Alert one…
-
Suricata + ELK [Installation]
Technically, this install should be described as: Suricata / Filebeat + ElasticSearch/Kibana but it makes for a poor headline. Architecture In a multi-suricata server environment, the ElasticSearch Server is paired with the Kibana GUI. Individual Suricata installs are setup with Filebeat agents on separate points in the network(s). Filebeat sends each Suricata machine’s log data…
Recent Posts
- Wazuh: When things go wrong
- CSRF Exploitation
- ZAP and it’s terrifying problems
- Getting Data on Usernames
- Installing GHunt
Tags
App Archive.org CSRF dashboard EDR elasticsearch elk email Exercise EXIF filebeat GHunt Google Earth gvm IDS kibana logic Maltego OpenCTI openvas OSINT owasp philosophy Reporting Reverse Image Search scanner suricata Wazuh ZAP