Presenting Suricata results in Kibana.
47 views
Skip to first unread message
fadi abusafat
Jun 25, 2019, 9:14:03 AM6/25/19
to SELKS
Hi.
I wish you are fine.
I would like to ask a small help please.
I analysed Pcap file through Suricata command line and it works well but when I tried to see details through Kibana it not works. For example, I designed Visualiz based on SN-Alert details, SN-Alert count, SN-Alerts Severity but no one of them have Data. It looks Kibana does not read from Suricata.
Please, anyone could help me in this issue.
Thank you so much.
Many Thanks.
Fadi !!!!
I wish you are fine.
I would like to ask a small help please.
I analysed Pcap file through Suricata command line and it works well but when I tried to see details through Kibana it not works. For example, I designed Visualiz based on SN-Alert details, SN-Alert count, SN-Alerts Severity but no one of them have Data. It looks Kibana does not read from Suricata.
Please, anyone could help me in this issue.
Thank you so much.
Many Thanks.
Fadi !!!!
Peter Manev
Jun 25, 2019, 9:21:59 AM6/25/19
to fadi abusafat, SELKS
received the mail or were successful in trying it out ?
> Many Thanks.
>
> Fadi !!!!
>
> --
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
> To post to this group, send email to se...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/33292232-2f04-4093-a730-f99b200999c4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Regards,
Peter Manev
fadi abusafat
Jun 25, 2019, 10:44:56 AM6/25/19
to SELKS
Well.
It is not a double post question. My main idea is, Analysed Pcap is not presenting by Kibana. I just only explained it and I am looking to connect Suricata with Kibana
It is not a double post question. My main idea is, Analysed Pcap is not presenting by Kibana. I just only explained it and I am looking to connect Suricata with Kibana
On Tuesday, June 25, 2019 at 2:21:59 PM UTC+1, pevma wrote:
On Tue, Jun 25, 2019 at 3:14 PM fadi abusafat <fabusa...@gmail.com> wrote:
>
> Hi.
>
> I wish you are fine.
>
> I would like to ask a small help please.
>
> I analysed Pcap file through Suricata command line and it works well but when I tried to see details through Kibana it not works. For example, I designed Visualiz based on SN-Alert details, SN-Alert count, SN-Alerts Severity but no one of them have Data. It looks Kibana does not read from Suricata.
>
> Please, anyone could help me in this issue.
>
> Thank you so much.
>
Seems a double post question - I suggested a way - not sure if you
received the mail or were successful in trying it out ?
> Many Thanks.
>
> Fadi !!!!
>
> --
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to se...@googlegroups.com.
Peter Manev
Jun 25, 2019, 11:21:02 AM6/25/19
to fadi abusafat, SELKS
>> On Tue, Jun 25, 2019 at 3:14 PM fadi abusafat <fabusa...@gmail.com> wrote:
>> >
>> > Hi.
>> >
>> > I wish you are fine.
>> >
>> > I would like to ask a small help please.
>> >
>> > I analysed Pcap file through Suricata command line and it works well but when I tried to see details through Kibana it not works. For example, I designed Visualiz based on SN-Alert details, SN-Alert count, SN-Alerts Severity but no one of them have Data. It looks Kibana does not read from Suricata.
>> >
>> > Please, anyone could help me in this issue.
>> >
>> > Thank you so much.
>> >
>>
What are the timestamps in the pcap ?
>> >
>> > Hi.
>> >
>> > I wish you are fine.
>> >
>> > I would like to ask a small help please.
>> >
>> > I analysed Pcap file through Suricata command line and it works well but when I tried to see details through Kibana it not works. For example, I designed Visualiz based on SN-Alert details, SN-Alert count, SN-Alerts Severity but no one of them have Data. It looks Kibana does not read from Suricata.
>> >
>> > Please, anyone could help me in this issue.
>> >
>> > Thank you so much.
>> >
>>
Thank you
fadi abusafat
Jun 25, 2019, 11:33:41 AM6/25/19
to SELKS
The time stamp is 2017-07-05 07:42:42. I already included a print screen of whole Pcap files and I made timestamp as it is in Pcap details. But even I updated time stamp in Kibana but it not works. It looks, it not read Suricata or Suricata results not presenting through Kibana.
Peter Manev
Jun 25, 2019, 11:52:26 AM6/25/19
to fadi abusafat, SELKS
On Tue, Jun 25, 2019 at 5:33 PM fadi abusafat <fabusa...@gmail.com> wrote:
>
> The time stamp is 2017-07-05 07:42:42. I already included a print screen of whole Pcap files and I made timestamp as it is in Pcap details. But even I updated time stamp in Kibana but it not works. It looks, it not read Suricata or Suricata results not presenting through Kibana.
>
What is the output of
>
> The time stamp is 2017-07-05 07:42:42. I already included a print screen of whole Pcap files and I made timestamp as it is in Pcap details. But even I updated time stamp in Kibana but it not works. It looks, it not read Suricata or Suricata results not presenting through Kibana.
>
ls -lh /var/log/suricata/eve.json
?
Also would any of the dashboards show anything if you choose a time
span of 5 years ?
Thanks
fadi abusafat
Jun 26, 2019, 5:24:09 AM6/26/19
to SELKS
Hi.
Eve.json works well and it has analyses results of Pcap file but it not presented in Kibana Dashboards despite I fixed timestamp as it is in Eve.json file.
This is print screen of it.
It looks, Kibana Dashboard not reads or connected to Eve.json file.
Eve.json works well and it has analyses results of Pcap file but it not presented in Kibana Dashboards despite I fixed timestamp as it is in Eve.json file.
This is print screen of it.
It looks, Kibana Dashboard not reads or connected to Eve.json file.
fadi abusafat
Jun 26, 2019, 6:36:49 AM6/26/19
to SELKS
Excuse me.
It looks, the problem is not at Kibana due to when I made the date as it is in eve.json was working but the problem is in Suricata due to does not read the real date of generating Pcap file.
For example, I used sample Pcap file known by Maccada which generated in 2012 but the result of analyzing in Eve.json file is 2019. Therefore, Suricata does not analysed the real date of Pcap file.
Excuse me, do you have an idea how to figure out this issue ?
Thank you so much.
It looks, the problem is not at Kibana due to when I made the date as it is in eve.json was working but the problem is in Suricata due to does not read the real date of generating Pcap file.
For example, I used sample Pcap file known by Maccada which generated in 2012 but the result of analyzing in Eve.json file is 2019. Therefore, Suricata does not analysed the real date of Pcap file.
Excuse me, do you have an idea how to figure out this issue ?
Thank you so much.
Peter Manev
Jun 26, 2019, 7:36:55 AM6/26/19
to fadi abusafat, SELKS
Hi,
I think we are possibly starting to confuse things.
In SELKS Suricata is up and running by default - so even if you read the pcap it will still generate events from what it reads on the sniffing interface.
To make sure that is not the case you can search for the date of the pcap in eve.json and confirm those are there - you can even try triaging the IPs. Once you confirm the events from the pcap are there - i need the output (as I previously mentioned ) of:
ls -lh /var/log/suricata/
Also can you please share a screenshot of the dashboards when you adjust the time according to the pcap’s time?
It seems in one email you refer to a pcap with date from 2012 and another from 2017 - can we lock on one fir the purpose of testing :)
It seems in one email you refer to a pcap with date from 2012 and another from 2017 - can we lock on one fir the purpose of testing :)
Thank you
--
Regards,
Peter Manev
--
IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
Wiki: https://github.com/StamusNetworks/SELKS/wiki
GitHub: https://github.com/StamusNetworks/SELKS
Blog: https://www.stamus-networks.com/theblog/
Twitter: @StamusN
g+: Stamus Networks
---
You received this message because you are subscribed to the Google Groups "SELKS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/selks/184c05c7-8fcd-4065-acc6-6ab02f1d4230%40googlegroups.com.
fadi abusafat
Jun 26, 2019, 9:02:17 AM6/26/19
to SELKS
Dear Peter,
I will clarify my case well due to it looks, there is miss-understanding.
My idea is:
There is a confusion in presenting result of Pcap file. I checked the date of first and last packet using TCPDUMP command and it shows, the time was in 2012.
While there is no data presented When I browsed the results in Kibana through fthrough assigned date as 2012.
I checked Eve.json file and I found date is current date which it is 2019 and when I filter results based on this date, data presented in Kibana. Therefore, the problem is not in Kibana while the problem in Suricata due to it not read the time of first and last packet correctly.
Please, could you write for me in case my idea is not clear.
I will clarify my case well due to it looks, there is miss-understanding.
My idea is:
There is a confusion in presenting result of Pcap file. I checked the date of first and last packet using TCPDUMP command and it shows, the time was in 2012.
While there is no data presented When I browsed the results in Kibana through fthrough assigned date as 2012.
I checked Eve.json file and I found date is current date which it is 2019 and when I filter results based on this date, data presented in Kibana. Therefore, the problem is not in Kibana while the problem in Suricata due to it not read the time of first and last packet correctly.
Please, could you write for me in case my idea is not clear.
Thank you so much.
Many Thanks.
I appreciated your help Mr Peter.
Fadi !!!!
Fadi !!!!
To unsubscribe from this group and stop receiving emails from it, send an email to se...@googlegroups.com.
Alexander Nedelchev
Jun 26, 2019, 9:14:04 AM6/26/19
to SELKS
Hello,
I think what Peter was trying to say is: those current events (2019 as you call them) are probably captured by suricata that is sniffing on the net interface rather then being those from the pcap.
My idea is that the pcap is probably not processed by suricata at all. Can you check the size of eve.json before and after you process the pcap.
Good luck.
Peter Manev
Jun 26, 2019, 9:19:08 AM6/26/19
to Alexander Nedelchev, SELKS
Hello,I think what Peter was trying to say is: those current events (2019 as you call them) are probably captured by suricata that is sniffing on the net interface rather then being those from the pcap.
Yes , correct - sorry
My idea is that the pcap is probably not processed by suricata at all. Can you check the size of eve.json before and after you process the pcap.
Also check the permissions of
ls -lh /var/log/suricata/eve.json
(It’s the third request :) I am doing :) )
The permissions should be for the user logstash.
Also check as Alex mentions are the events from 2012 in the eve.json file ?
Thank you
Good luck.
On Tuesday, June 25, 2019 at 4:14:03 PM UTC+3, fadi abusafat wrote:Hi.
I wish you are fine.
I would like to ask a small help please.
I analysed Pcap file through Suricata command line and it works well but when I tried to see details through Kibana it not works. For example, I designed Visualiz based on SN-Alert details, SN-Alert count, SN-Alerts Severity but no one of them have Data. It looks Kibana does not read from Suricata.
Please, anyone could help me in this issue.
Thank you so much.
Many Thanks.
Fadi !!!!
--
IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
Wiki: https://github.com/StamusNetworks/SELKS/wiki
GitHub: https://github.com/StamusNetworks/SELKS
Blog: https://www.stamus-networks.com/theblog/
Twitter: @StamusN
g+: Stamus Networks
---
You received this message because you are subscribed to the Google Groups "SELKS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/selks/d30cc895-fbbf-4b31-92d5-08348c32cc38%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages