Suricata Threat Hunting Dashboard stopped reporting
76 views
Skip to first unread message
Tim Guy
Jun 22, 2023, 9:19:18 AM6/22/23
to SELKS
Hi
Its most likey that the best way to resolve this would be to reinstall selks BUT I am trying to find out why its stopped reporting.
I am sending data to selks from a Mikrotik router to eve.json. The eve.json is still taking on data BUT its not coming through the dashboard.
Is there anything obvious I can look at to see why its not working anymore.
Tim
Peter Manev
Jun 22, 2023, 9:54:17 AM6/22/23
to Tim Guy, SELKS
Hi,
It does not seem that you should need reinstallation , but let's check
a few things
The Hunting dashboard displays only the suricata alerts with their
corelated network protocol , flow, anomaly and file transaction logs.
It does not however display the rest of the NSM data.
If you open Kibana - for example the SN-DNS or the SN-FLOW dashboards
- would you see logs?
Thank you
> --
> Discord: Let's talk about SELKS on
> https://discord.com/channels/911231224448712714/911238451842666546
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/blog
> Twitter: @StamusN
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/CAD61_NU5bdx3T4nACag2EUMh%3DThstLU-qnTm20E3c-i8a8mckg%40mail.gmail.com.
--
Regards,
Peter Manev
It does not seem that you should need reinstallation , but let's check
a few things
The Hunting dashboard displays only the suricata alerts with their
corelated network protocol , flow, anomaly and file transaction logs.
It does not however display the rest of the NSM data.
If you open Kibana - for example the SN-DNS or the SN-FLOW dashboards
- would you see logs?
Thank you
> Discord: Let's talk about SELKS on
> https://discord.com/channels/911231224448712714/911238451842666546
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/blog
> Twitter: @StamusN
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/CAD61_NU5bdx3T4nACag2EUMh%3DThstLU-qnTm20E3c-i8a8mckg%40mail.gmail.com.
--
Regards,
Peter Manev
Tim Guy
Jun 22, 2023, 10:36:52 AM6/22/23
to Peter Manev, SELKS
Ahhhhh, yes there is recent data in those Kibana dashboards
Tim
timg...@gmail.com
Jun 24, 2023, 5:40:22 AM6/24/23
to Peter Manev, SELKS
Hi Peter
Well I still cant find out to reset it. Everything’s coming into Kibana but nothing is coming up on the hunt pages which as a knock on means my Mikrotik isn’t get the block alerts.
Any suggestions?
Tim
Peter Manev
Jun 24, 2023, 7:25:35 AM6/24/23
to timg...@gmail.com, SELKS
Hi ,
This means that for some reason there are no alerts generated but the rest of the network logs are there.
I would suggest starting to look at the suricata.log to see for any errors ?
Tim Guy
Jul 6, 2023, 7:34:24 AM7/6/23
to Peter Manev, SELKS
I removed the default rule completely, added it back and then just added one source in and it start up again. No idea what went wrong but happy with that
Peter Manev
Jul 6, 2023, 9:23:35 AM7/6/23
to Tim Guy, SELKS
Hi,
Probably the suricata.log would be able to show some info of what might have been the reason.
Thank you for the feedback !
Glad it is all back to normal.
--
Regards,
Peter Manev
On 6 Jul 2023, at 14:34, Tim Guy <timg...@gmail.com> wrote:
Reply all
Reply to author
Forward
0 new messages