ELK with snort

[Sam Asselborn]

Hi team,
I got a question concerning the configuration of ELK combined with Snort.
Since I installed ELK I recongnized that Kibana is not showing any alerts of my snort in the beginning. Do you documented a step-by-step to explain how to see the snort alerts in Kibana, because this doesn seem to work out of the box?

I built a distributed deployment with the forwoard nodes.
I also opened up the port 6050 to receive the alerts from the senors syslog-ng.

Thank you for your good and fast answers.

[Neeraj Shah]

I am in the same boat as you, trying to figure this out. What i have seen is, some of the alerts (not all) are visible by clicking on "NIDS" in the main dashboard homepage of Kibana. However not all of the alerts that you see in SQUERT UI show up under Kibana.

[Wes Lambert]

Sam,

Do you notice any other logs in Kibana?  Have you checked /var/log/logstash/logstash.log for clues?

Please provide the output of sostat redacted, attaching as a plain text file, or using a service like Pastebin.com.

Thanks,

Wes

On Wed, May 9, 2018 at 1:46 PM, Neeraj Shah <neeraj...@gmail.com> wrote:

I am in the same boat as you, trying to figure this out. What i have seen is, some of the alerts (not all) are visible by clicking on "NIDS" in the main dashboard homepage of Kibana.  However not all of the alerts that you see in SQUERT UI show up under Kibana.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Kevin Branch]

Note that Squert can also display OSSEC and Bro alerts if those agents are configured, in addition to NIDS events.  I would not expect "NIDS" in the main dashboard homepage of Kibana to show anything but Snort/Suricata events.

Kevin

On Wed, May 9, 2018 at 1:46 PM, Neeraj Shah <neeraj...@gmail.com> wrote:

I am in the same boat as you, trying to figure this out. What i have seen is, some of the alerts (not all) are visible by clicking on "NIDS" in the main dashboard homepage of Kibana.  However not all of the alerts that you see in SQUERT UI show up under Kibana.

[Sam Asselborn]

On Thursday, 10 May 2018 12:59:10 UTC+2, Wes wrote:
> Sam,
>
>
> Do you notice any other logs in Kibana?  Have you checked /var/log/logstash/logstash.log for clues?
>
>
> Please provide the output of sostat redacted, attaching as a plain text file, or using a service like Pastebin.com.
>
>
> Thanks,
> Wes
>
>
> On Wed, May 9, 2018 at 1:46 PM, Neeraj Shah <neeraj...@gmail.com> wrote:
> I am in the same boat as you, trying to figure this out. What i have seen is, some of the alerts (not all) are visible by clicking on "NIDS" in the main dashboard homepage of Kibana.  However not all of the alerts that you see in SQUERT UI show up under Kibana.
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/

Hello Wes,
since I wasn't at the office yesterday and did no manipulations before that, I am wondering why my Kibana is showing one sensor now... Don't ask me why..:) I'm asking myself right now why just one of my two sensor is just showing up... Could it be a autossh tunnel problem? Since I work with Forward Nodes syslog-ng logs should be forwarded to the logstash at the Server side..

I just changed one thing in the barnyard2.conf. I commented this line out:
output alert_syslog: LOG_AUTH LOG_INFO

so barnyard is sending the alerts to syslog-ng so Logstash can receive these logs. Why isn't that configured by default, when I configure my sensor as a forward node?

Thank you in advance
SAM


Thanks

[Sam Asselborn]

sudi sostat-redacted
https://pastebin.com/vqkdCA6N

[Bryant Treacle]

Have you modified the visualization and increased the number of results it will return? Most of the visualizations come out of the box with only a few results (i think 5ish).

[Wes Lambert]

Sam,

That is not part of the typical barnyard2 config.  Have you checked to see if your autossh tunnel is up?

(sensor) pgrep autossh

(master) netstat -an | grep :22

Is syslog-ng running on the forward node?

sudo service syslog-ng status

Thanks,

Wes

`

On Thu, May 10, 2018 at 8:21 PM, Bryant Treacle <treacle...@gmail.com> wrote:

Have you modified the visualization and increased the number of results it will return? Most of the visualizations come out of the box with only a few results (i think 5ish). 

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Dustin Lee]

On Friday, May 11, 2018 at 3:10:10 PM UTC-4, Wes wrote:
> Sam,
>
>
> That is not part of the typical barnyard2 config.  Have you checked to see if your autossh tunnel is up?
>
>
> (sensor) pgrep autossh
> (master) netstat -an | grep :22
>
>
> Is syslog-ng running on the forward node?
>
>
> sudo service syslog-ng status
>
>
> Thanks,
> Wes
>
>
>
>
> `
>
>
> On Thu, May 10, 2018 at 8:21 PM, Bryant Treacle <treacle...@gmail.com> wrote:
> Have you modified the visualization and increased the number of results it will return? Most of the visualizations come out of the box with only a few results (i think 5ish). 
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/

Sam and Wes,

I'm unsure if this has anything to do with your specific issue, but I did notice today that if you perform a "Custom Install" of the forwarder and omit the ElasticStack, the AUTOSSH_OPTIONS variable is not placed in /root/.ssh/securityonion_ssh.conf for the autossh tunnel. This is due to the "Configure Elastic" conditional on line 1847 in /usr/sbin/sosetup not honoring the FORWARD value (yes or no) and configuring autossh unless ELASTIC is set to yes. Hope it helps.

Dustin

[Wes Lambert]

Hi Dustin,

I'm not sure if this is related to this particular issue, but I'll definitely take a look and see if I can replicate this behavior.

Thanks!

Wes

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Dustin Lee]

Wes,

Not a problem! My quick fix was to adjust the line slightly to '[ ELASTIC = "yes" ] || [ FORWARD="yes" ]' since there is nothing I could find that impacted the rest of the setup beyond the LOG_SIZE_LIMIT portion which doesn't matter to me. While I was at it, I also added 'FORWARD="no"' to the initial vars and 'echo "FORWARD=$FORWARD" >> $WRITEANSWERFILE' in the save function to round it out.

Apologies for the hijack! Good luck, Sam. Hope everyone has a great weekend!

Dustin

[Wes Lambert]

Hi Dustin,

I've confirmed this issue and have added a fix to an existing PR.  Thanks!

Thanks,

Wes

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Sam Asselborn]

Hi everybody!

I had a really strange case, which is solved now..

My autossh tunnel was established but I realized in my securityonion.conf
That no enginge was running :

Engine=
This field was empty,also after several sosetups...
So I mad a new Installation and this solved my problem...
Thanks everybody for your help!
Sam