New to Selks, clarifying
575 views
Skip to first unread message
Chris Almond
Jan 7, 2015, 5:05:12 AM1/7/15
to se...@googlegroups.com
Dear Community,
I have started to test Selks a few weeks ago and got some questions. I wrote some notes, but not sure if I understand everything well. Please correct me:
After installing Selks all the traffic originating from itself gets into the logs and I can use the dashboard very well. However I couldn't analyze traffic originating from other hosts/clients.
What I have and did:
- There is one ethernet interface allowing incoming/outgoing/forwarding packets.
- I have allowed ip forwarding in sysctl.
- Changed Suricata to NFQ mode
- I am sending all traffic to the NFQ, to the same one which is configured in suricata
- Set client's default gateway to Selks
After this, the packets get forwarded from clients, everything gets passed to the NFQ, but I see nothing in the bashboard or in Suricata logs. Eg. I have opened Tor connections from the clients, but no alerts were received.
Tcpdump can see everything clients send.
Note: there is a remote exec vuln in the default install's ElasticSearch's "/_search?source=" parameter. That may be fixed by upgrading the iso images.
Any help is appreciated,
Thank you!
Chris
I have started to test Selks a few weeks ago and got some questions. I wrote some notes, but not sure if I understand everything well. Please correct me:
"Services running:
Suricata --> IPS / IDS
Scirius --> Web management interface for Suricata, written in Django
Elasticsearch --> The engine processing logs and search.
Logstash --> Log management, scrubs your logs and parse all data sources into an easy to read JSON format.
Kibana --> Dashboard, Elasticsearch’s data visualization engine, "kibana-dashboards-stamus"
Processing of data: Suricata logs -> Elasticsearch -> Logstash -> Kibana/Scirius "
After installing Selks all the traffic originating from itself gets into the logs and I can use the dashboard very well. However I couldn't analyze traffic originating from other hosts/clients.
What I have and did:
- There is one ethernet interface allowing incoming/outgoing/forwarding packets.
- I have allowed ip forwarding in sysctl.
- Changed Suricata to NFQ mode
- I am sending all traffic to the NFQ, to the same one which is configured in suricata
- Set client's default gateway to Selks
After this, the packets get forwarded from clients, everything gets passed to the NFQ, but I see nothing in the bashboard or in Suricata logs. Eg. I have opened Tor connections from the clients, but no alerts were received.
Tcpdump can see everything clients send.
Note: there is a remote exec vuln in the default install's ElasticSearch's "/_search?source=" parameter. That may be fixed by upgrading the iso images.
Any help is appreciated,
Thank you!
Chris
Peter Manev
Jan 8, 2015, 3:57:39 AM1/8/15
to Chris Almond, se...@googlegroups.com
Hi,
Thank you for your info mail! Answers below...
On Wed, Jan 7, 2015 at 11:05 AM, Chris Almond <chrisal...@gmail.com> wrote:
> Dear Community,
>
> I have started to test Selks a few weeks ago and got some questions. I wrote
> some notes, but not sure if I understand everything well. Please correct me:
>
>
> "Services running:
> Suricata --> IPS / IDS
> Scirius --> Web management interface for Suricata, written in Django
> Elasticsearch --> The engine processing logs and search.
> Logstash --> Log management, scrubs your logs and parse all data
> sources into an easy to read JSON format.
> Kibana --> Dashboard, Elasticsearch’s data visualization engine,
> "kibana-dashboards-stamus"
>
> Processing of data: Suricata logs -> Elasticsearch -> Logstash ->
> Kibana/Scirius "
>
>
Processing/access of/to data: Suricata logs -> Logstash ->
Elasticsearch -> (nginx proxy with authentication)...Kibana/Scirius
>
> After installing Selks all the traffic originating from itself gets into the
> logs and I can use the dashboard very well. However I couldn't analyze
> traffic originating from other hosts/clients.
> What I have and did:
> - There is one ethernet interface allowing incoming/outgoing/forwarding
> packets.
> - I have allowed ip forwarding in sysctl.
> - Changed Suricata to NFQ mode
What were your steps exactly?
> - I am sending all traffic to the NFQ, to the same one which is configured
> in suricata
> - Set client's default gateway to Selks
What is your network set up like - I mean do you use any NAT/PNAT? Any
iptables/ipset rules? Anything in particular?
>
> After this, the packets get forwarded from clients, everything gets passed
> to the NFQ, but I see nothing in the bashboard or in Suricata logs. Eg. I
> have opened Tor connections from the clients, but no alerts were received.
> Tcpdump can see everything clients send.
>
Just to confirm - what is the output of "ethtool -k yourinterface"
> Note: there is a remote exec vuln in the default install's ElasticSearch's
> "/_search?source=" parameter. That may be fixed by upgrading the iso images.
>
Is that the CVE you are referring to ? -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120
> Any help is appreciated,
> Thank you!
> Chris
>
Thanks
> --
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups
> "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to selks+un...@googlegroups.com.
> To post to this group, send email to se...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Regards,
Peter Manev
Thank you for your info mail! Answers below...
On Wed, Jan 7, 2015 at 11:05 AM, Chris Almond <chrisal...@gmail.com> wrote:
> Dear Community,
>
> I have started to test Selks a few weeks ago and got some questions. I wrote
> some notes, but not sure if I understand everything well. Please correct me:
>
>
> "Services running:
> Suricata --> IPS / IDS
> Scirius --> Web management interface for Suricata, written in Django
> Elasticsearch --> The engine processing logs and search.
> Logstash --> Log management, scrubs your logs and parse all data
> sources into an easy to read JSON format.
> Kibana --> Dashboard, Elasticsearch’s data visualization engine,
> "kibana-dashboards-stamus"
>
> Processing of data: Suricata logs -> Elasticsearch -> Logstash ->
> Kibana/Scirius "
>
>
Elasticsearch -> (nginx proxy with authentication)...Kibana/Scirius
>
> After installing Selks all the traffic originating from itself gets into the
> logs and I can use the dashboard very well. However I couldn't analyze
> traffic originating from other hosts/clients.
> What I have and did:
> - There is one ethernet interface allowing incoming/outgoing/forwarding
> packets.
> - I have allowed ip forwarding in sysctl.
> - Changed Suricata to NFQ mode
> - I am sending all traffic to the NFQ, to the same one which is configured
> in suricata
> - Set client's default gateway to Selks
iptables/ipset rules? Anything in particular?
>
> After this, the packets get forwarded from clients, everything gets passed
> to the NFQ, but I see nothing in the bashboard or in Suricata logs. Eg. I
> have opened Tor connections from the clients, but no alerts were received.
> Tcpdump can see everything clients send.
>
> Note: there is a remote exec vuln in the default install's ElasticSearch's
> "/_search?source=" parameter. That may be fixed by upgrading the iso images.
>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120
> Any help is appreciated,
> Thank you!
> Chris
>
> --
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups
> "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to selks+un...@googlegroups.com.
> To post to this group, send email to se...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Regards,
Peter Manev
Chris Almond
Jan 12, 2015, 4:39:40 AM1/12/15
to se...@googlegroups.com, chrisal...@gmail.com
Hello,
thank you for correcting. The steps I have done so far:
1. Install SELKS (default)
2. Set up networking on my interface (ip, mask, routing..etc)
3. Enabling IP forwarding, using sysctl (sysctl.conf)
4. Adding iptables rules to pass all INPUT, OUTPUT, FORWARD to NFQUEUE 0 ---> iptables -I OUTPUT -j NFQUEUE...etc
5. Change /etc/default/suricata "LISTENMODE=nfqueue" and /etc/suricata/suricata.yaml: nfq mode accept
6. Run /opt/selks/Scripts/Tuning/disable-interface-offloading_stamus.sh eth2
7. Adding the previous script to /etc/network/interfaces
8. "ethtool -k" output looks correct [fixed]
Network looks like: internal computers --> SELKS as gateway --> | internet gatway, providing dhcp and dns | --> internet
Note:
- /etc/suricata/suricata.yaml tells users to use "iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE", but it gives back an error: "mark: bad mark value for option "--mark", or out of range."
- If I install a proxy and run everything through it, SELKS works fine, but not with simple ipforwarding.
If I don't want to install my proxy on SELKS, how should I proceed?
thank you for correcting. The steps I have done so far:
1. Install SELKS (default)
2. Set up networking on my interface (ip, mask, routing..etc)
3. Enabling IP forwarding, using sysctl (sysctl.conf)
4. Adding iptables rules to pass all INPUT, OUTPUT, FORWARD to NFQUEUE 0 ---> iptables -I OUTPUT -j NFQUEUE...etc
5. Change /etc/default/suricata "LISTENMODE=nfqueue" and /etc/suricata/suricata.yaml: nfq mode accept
6. Run /opt/selks/Scripts/Tuning/disable-interface-offloading_stamus.sh eth2
7. Adding the previous script to /etc/network/interfaces
8. "ethtool -k" output looks correct [fixed]
Network looks like: internal computers --> SELKS as gateway --> | internet gatway, providing dhcp and dns | --> internet
Note:
- /etc/suricata/suricata.yaml tells users to use "iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE", but it gives back an error: "mark: bad mark value for option "--mark", or out of range."
- If I install a proxy and run everything through it, SELKS works fine, but not with simple ipforwarding.
If I don't want to install my proxy on SELKS, how should I proceed?
>> Note: there is a remote exec vuln in the default install's ElasticSearch's
>> "/_search?source=" parameter. That may be fixed by upgrading the iso images.
>>
> Is that the CVE you are referring to ? -
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120
Yes.
Thank you!
Thank you!
Peter Manev
Jan 12, 2015, 6:05:50 AM1/12/15
to Chris Almond, se...@googlegroups.com
On Mon, Jan 12, 2015 at 6:39 PM, Chris Almond <chrisal...@gmail.com> wrote:
> Hello,
>
> thank you for correcting. The steps I have done so far:
>
> 1. Install SELKS (default)
> 2. Set up networking on my interface (ip, mask, routing..etc)
> 3. Enabling IP forwarding, using sysctl (sysctl.conf)
> 4. Adding iptables rules to pass all INPUT, OUTPUT, FORWARD to NFQUEUE 0
> ---> iptables -I OUTPUT -j NFQUEUE...etc
> 5. Change /etc/default/suricata "LISTENMODE=nfqueue" and
> /etc/suricata/suricata.yaml: nfq mode accept
> 6. Run /opt/selks/Scripts/Tuning/disable-interface-offloading_stamus.sh eth2
> 7. Adding the previous script to /etc/network/interfaces
> 8. "ethtool -k" output looks correct [fixed]
>
> Network looks like: internal computers --> SELKS as gateway --> | internet
> gatway, providing dhcp and dns | --> internet
>
> Note:
> - /etc/suricata/suricata.yaml tells users to use "iptables -I FORWARD -m
> mark ! --mark $MARK/$MASK -j NFQUEUE", but it gives back an error: "mark:
> bad mark value for option "--mark", or out of range."
> - If I install a proxy and run everything through it, SELKS works fine, but
> not with simple ipforwarding.
>
> If I don't want to install my proxy on SELKS, how should I proceed?
>
Under what user are you running Suricata? (if not root) Could you
> Hello,
>
> thank you for correcting. The steps I have done so far:
>
> 1. Install SELKS (default)
> 2. Set up networking on my interface (ip, mask, routing..etc)
> 3. Enabling IP forwarding, using sysctl (sysctl.conf)
> 4. Adding iptables rules to pass all INPUT, OUTPUT, FORWARD to NFQUEUE 0
> ---> iptables -I OUTPUT -j NFQUEUE...etc
> 5. Change /etc/default/suricata "LISTENMODE=nfqueue" and
> /etc/suricata/suricata.yaml: nfq mode accept
> 6. Run /opt/selks/Scripts/Tuning/disable-interface-offloading_stamus.sh eth2
> 7. Adding the previous script to /etc/network/interfaces
> 8. "ethtool -k" output looks correct [fixed]
>
> Network looks like: internal computers --> SELKS as gateway --> | internet
> gatway, providing dhcp and dns | --> internet
>
> Note:
> - /etc/suricata/suricata.yaml tells users to use "iptables -I FORWARD -m
> mark ! --mark $MARK/$MASK -j NFQUEUE", but it gives back an error: "mark:
> bad mark value for option "--mark", or out of range."
> - If I install a proxy and run everything through it, SELKS works fine, but
> not with simple ipforwarding.
>
> If I don't want to install my proxy on SELKS, how should I proceed?
>
please try as "root" to see if the issue will still be there?
>>> Note: there is a remote exec vuln in the default install's
>>> ElasticSearch's
>>> "/_search?source=" parameter. That may be fixed by upgrading the iso
>>> images.
>>>
>> Is that the CVE you are referring to ? -
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120
>
> Yes.
http://bouk.co/blog/elasticsearch-rce/
it seems the author explains what the preventive steps are. Further
more SELKS uses authentication/authorization mechanism through nginx
in order to access Kibana.
For further info, SELKS uses ES 1.1.2 with logstash 1.4.2 as per info
found here (pairing ES with Logstash versions) -
http://logstash.net/docs/1.4.2/tutorials/getting-started-with-logstash
We are thinking/testing/considering possible version upgrade upgrade
paths though.
Thanks
>
> Thank you!
Chris Almond
Jan 14, 2015, 4:38:46 AM1/14/15
to se...@googlegroups.com, chrisal...@gmail.com
> Under what user are you running Suricata? (if not root) Could you
please try as "root" to see if the issue will still be there?
Unfortunately it does not work with root user or other. I guess it's because of the forwarding. Any other idea?
>At the bottom of the page here -
>http://bouk.co/blog/elasticsearch-rce/
>it seems the author explains what the preventive steps are. Further
>more SELKS uses authentication/authorization mechanism through nginx
>in order to access Kibana.
>
>For further info, SELKS uses ES 1.1.2 with logstash 1.4.2 as per info
>found here (pairing ES with Logstash versions) -
>http://logstash.net/docs/1.4.2/tutorials/getting-started-with-logstash
>
>We are thinking/testing/considering possible version upgrade upgrade
>paths though.
I have added Elasticsearch's debian repository to apt source list and the upgrade worked fine, fixing the vuln:
deb http://packages.elasticsearch.org/elasticsearch/1.4/debian stable main
Thanks!
deb http://packages.elasticsearch.org/elasticsearch/1.4/debian stable main
Thanks!
Peter Manev
Jan 15, 2015, 7:22:00 PM1/15/15
to Chris Almond, se...@googlegroups.com
On Wed, Jan 14, 2015 at 6:38 PM, Chris Almond <chrisal...@gmail.com> wrote:
>
> > Under what user are you running Suricata? (if not root) Could you please try as "root" to see if the issue will still be there?
>
> Unfortunately it does not work with root user or other. I guess it's because of the forwarding. Any other idea?
What is your Suricata start up command in that case? Have you made any
>
> > Under what user are you running Suricata? (if not root) Could you please try as "root" to see if the issue will still be there?
>
> Unfortunately it does not work with root user or other. I guess it's because of the forwarding. Any other idea?
changes to the start up script?
>
>
> >At the bottom of the page here -
> >http://bouk.co/blog/elasticsearch-rce/
> >it seems the author explains what the preventive steps are. Further
> >more SELKS uses authentication/authorization mechanism through nginx
> >in order to access Kibana.
> >
> >For further info, SELKS uses ES 1.1.2 with logstash 1.4.2 as per info
> >found here (pairing ES with Logstash versions) -
> >http://logstash.net/docs/1.4.2/tutorials/getting-started-with-logstash
> >
> >We are thinking/testing/considering possible version upgrade upgrade
> >paths though.
>
> I have added Elasticsearch's debian repository to apt source list and the upgrade worked fine, fixing the vuln:
>
> deb http://packages.elasticsearch.org/elasticsearch/1.4/debian stable main
>
>
> Thanks!
>
Peter Manev
Jan 18, 2015, 1:16:05 AM1/18/15
to Chris Almond, se...@googlegroups.com
On Fri, Jan 16, 2015 at 1:21 AM, Peter Manev <peter...@gmail.com> wrote:
> On Wed, Jan 14, 2015 at 6:38 PM, Chris Almond <chrisal...@gmail.com> wrote:
>>
>> > Under what user are you running Suricata? (if not root) Could you please try as "root" to see if the issue will still be there?
>>
>> Unfortunately it does not work with root user or other. I guess it's because of the forwarding. Any other idea?
>
> What is your Suricata start up command in that case? Have you made any
> changes to the start up script?
>
>>
>>
In addition to my previous mail - what are your iptables rules ?
> On Wed, Jan 14, 2015 at 6:38 PM, Chris Almond <chrisal...@gmail.com> wrote:
>>
>> > Under what user are you running Suricata? (if not root) Could you please try as "root" to see if the issue will still be there?
>>
>> Unfortunately it does not work with root user or other. I guess it's because of the forwarding. Any other idea?
>
> What is your Suricata start up command in that case? Have you made any
> changes to the start up script?
>
>>
>>
thanks
Regards,
Peter Manev
Reply all
Reply to author
Forward
0 new messages