security talk & philosophizing



Tag: suricata

  • Crontab & Suricata Updates

    Crontab & Suricata Updates

    From time to time, the Suricata rules you enable will have updates. It’s important to keep Suricata updated with these changes, so the IDS is current with attack vectors. As with antivirus you want to stay up to date with the IDS rules. Normally you would update the rules with a command like: It’s unreasonable…

    Read more...

  • Detecting Reverse Shells

    Detecting Reverse Shells

    The following rules might be useful in detecting reverse shells with Suricata: This rule will alert on incoming TCP traffic from external networks to your internal network containing the string “bash -i >& /dev/tcp/”, which is a common reverse shell. Variations can be implemented, such as /bin/sh or other ideas on passing a shell. Note…

    Read more...

  • Creating a High Severity Suricata Dashboard in ELK

    Creating a High Severity Suricata Dashboard in ELK

    Once you have your ElasticSearch server running with Kibana, and it’s being fed data from Suricata installs via Filebeat, you can view the data coming in through some default dashboards. Filebeat has two suricata default dashboards, one for alerts and one for events. I like the default Filebeat Suricata dashboards, except that the Alert one…

    Read more...

  • Suricata + ELK [Installation]

    Suricata + ELK [Installation]

    Technically, this install should be described as: Suricata / Filebeat + ElasticSearch/Kibana but it makes for a poor headline. Architecture In a multi-suricata server environment, the ElasticSearch Server is paired with the Kibana GUI. Individual Suricata installs are setup with Filebeat agents on separate points in the network(s). Filebeat sends each Suricata machine’s log data…

    Read more...