Selks IDS/IPS configuration

[philip lor]

hello,

I have install SELKS on a spare workstation with multiple NIC. I have configure the switchport on my switch to mirror all ports on that local switch to eth0. I followed the tutorial on the "Initial Setup Network Card setup", currently using eth1 as my management interface and eth0 as my listening interface. I am able to view all traffic on that switch entering and leaving the switch from wireshark on the selks workstation, but can't see any logs of the traffic on the Kibana dashboard. I wanting to know if I misconfigured or didnt configure a setting on Selks, Thanks 

[Peter Manev]

Hi,

So you see the traffic form the SELKS server - correct?

Is it that you do not see any logs at all in Kibana or you can not find the dashboards?

Thank you

On Fri, Jan 16, 2015 at 1:47 AM, philip lor <phil...@gmail.com> wrote:

hello,

I have install SELKS on a spare workstation with multiple NIC. I have configure the switchport on my switch to mirror all ports on that local switch to eth0. I followed the tutorial on the "Initial Setup Network Card setup", currently using eth1 as my management interface and eth0 as my listening interface. I am able to view all traffic on that switch entering and leaving the switch from wireshark on the selks workstation, but can't see any logs of the traffic on the Kibana dashboard. I wanting to know if I misconfigured or didnt configure a setting on Selks, Thanks 

--
IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
Wiki: https://github.com/StamusNetworks/SELKS/wiki
GitHub: https://github.com/StamusNetworks/SELKS
Blog: https://www.stamus-networks.com/theblog/
Twitter: @StamusN
g+: Stamus Networks
---
You received this message because you are subscribed to the Google Groups "SELKS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
To post to this group, send email to se...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Regards,

Peter Manev

[philip lor]

I can only see traffic originating from the SELKS server, but not other trafffic from workstations on the local switch.  I see the logs in kibana dashboard logging trafffic from SELKS server itself only. So is SELKS working as design by logging it own traffic or am i missing some configuration? I want to use SELKS as a IDS, which is suppose to be the default setting. Thanks for the help

[Eric Leblond]

Hi,

On Fri Jan 16 2015 at 3:47:32 PM philip lor <phil...@gmail.com> wrote:

I can only see traffic originating from the SELKS server, but not other trafffic from workstations on the local switch.  I see the logs in kibana dashboard logging trafffic from SELKS server itself only. So is SELKS working as design by logging it own traffic or am i missing some configuration?

It seems there is a configuration issue on your side.

Can you run 

suricata --dump-config -c /etc/suricata/suricata.yaml  |grep eth

You should see something like:

af-packet.0.interface = eth0

If you see also eth1 you have an issue there.

Other point to check, verify that eth0 is up:

ip l l dev eth0

should contain ",UP>"

BR,

[philip lor]

Thanks Eric for the reply, here is the output

root@SELKS:~# suricata --dump-config -c /etc/suricata/suricata.yaml  |grep eth
af-packet.0.interface = eth0
af-packet.1.interface = eth1
pfring.0.interface = eth0
pcap.0.interface = eth0
root@SELKS:~# ip l l dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 00:23:24:08:52:c7 brd ff:ff:ff:ff:ff:ff

[Peter Manev]

On Fri, Jan 16, 2015 at 6:52 PM, philip lor <phil...@gmail.com> wrote:
> Thanks Eric for the reply, here is the output
>
> root@SELKS:~# suricata --dump-config -c /etc/suricata/suricata.yaml |grep
> eth
> af-packet.0.interface = eth0
> af-packet.1.interface = eth1

Since eth1 is your management interface as you mentioned - you can
comment that section out if you are not interested in that traffic.

> pfring.0.interface = eth0
> pcap.0.interface = eth0
> root@SELKS:~# ip l l dev eth0
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UP mode DEFAULT qlen 1000
> link/ether 00:23:24:08:52:c7 brd ff:ff:ff:ff:ff:ff
>
>
>

Do you see mirrored traffic on eth0 on the SELKS server?
Are there any err/warning msgs in your suricata.log ?

[emre....@btpsec.com]

I have installed SELKS on a VM for IDS purposes where two interfaces exist.

eth0 is the management interface and eth1 listens the span traffic.

eth0      Link encap:Ethernet  HWaddr 00:0c:29:86:f6:f6

          inet addr:10.10.10.189  Bcast:10.10.10.255  Mask:255.255.252.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth1      Link encap:Ethernet  HWaddr 00:0c:29:86:f6:00

          inet addr:10.10.10.199  Bcast:10.10.10.255  Mask:255.255.252.0

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

When I start suricata with systemctl, status of suricata seems active (exited)

$ sudo systemctl start suricata

$ sudo systemctl status suricata

● suricata.service - LSB: Next Generation IDS/IPS

   Loaded: loaded (/etc/init.d/suricata)

   Active: active (exited) since Tue 2016-06-14 17:49:03 EEST; 1h 0min ago

  Process: 29348 ExecStop=/etc/init.d/suricata stop (code=exited, status=0/SUCCESS)

  Process: 29357 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)

Jun 14 17:49:03 SELKS suricata[29357]: Starting suricata in IDS (af-packet) mode... done.

Beside this output, scirius shows red light for suricata (I think) due to Active: active (exited)

When I start suricata by manual, it seems no problem. Scirius lights green.

$ sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1 -v

Suricata configuration

$ suricata --dump-config -c /etc/suricata/suricata.yaml  |grep eth

af-packet.0.interface = eth1

af-packet.1.interface = eth1

netmap.0.interface = eth2

pfring.0.interface = eth1

pcap.0.interface = eth1

May suricata try to listen eth0 in this case?

[Peter Manev]

On Tue, Jun 14, 2016 at 3:11 PM, <emre....@btpsec.com> wrote:
>
> I have installed SELKS on a VM for IDS purposes where two interfaces exist.
> eth0 is the management interface and eth1 listens the span traffic.
>
> eth0 Link encap:Ethernet HWaddr 00:0c:29:86:f6:f6
> inet addr:10.10.10.189 Bcast:10.10.10.255 Mask:255.255.252.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> eth1 Link encap:Ethernet HWaddr 00:0c:29:86:f6:00
> inet addr:10.10.10.199 Bcast:10.10.10.255 Mask:255.255.252.0
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
>
> When I start suricata with systemctl, status of suricata seems active (exited)
> $ sudo systemctl start suricata
> $ sudo systemctl status suricata
>
> ● suricata.service - LSB: Next Generation IDS/IPS
> Loaded: loaded (/etc/init.d/suricata)
> Active: active (exited) since Tue 2016-06-14 17:49:03 EEST; 1h 0min ago
> Process: 29348 ExecStop=/etc/init.d/suricata stop (code=exited, status=0/SUCCESS)
> Process: 29357 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)
>
> Jun 14 17:49:03 SELKS suricata[29357]: Starting suricata in IDS (af-packet) mode... done.
>
> Beside this output, scirius shows red light for suricata (I think) due to Active: active (exited)

Yes i think you are correct too.

>
> When I start suricata by manual, it seems no problem. Scirius lights green.
> $ sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1 -v
>
> Suricata configuration
> $ suricata --dump-config -c /etc/suricata/suricata.yaml |grep eth
> af-packet.0.interface = eth1
> af-packet.1.interface = eth1
> netmap.0.interface = eth2
> pfring.0.interface = eth1
> pcap.0.interface = eth1
>
> May suricata try to listen eth0 in this case?

I think if you should check /var/log/suricata/suricata.log for any errs.
I suspect it might be a pid file left over. so you might try removing
any suricata.pid files and restart the service again.

[emre....@btpsec.com]

There is no suricata.pid file under /var/run/lock, /var/run/suricata (actually under /var/run)

There are just two errors under /var/log/suricata

<Error> (Daemonize) -- [ERRCODE: SC_ERR_DAEMON(87)] - Error changing to working directory

<Error> (WaitForChild) -- [ERRCODE: SC_ERR_DAEMON(87)] - Child died unexpectedly

ps -aux | grep suri

iroot      1105  0.0  0.0  54476 10680 ?        S    Jun03   0:00 /usr/bin/python /opt/selks/scirius/suricata/scripts/suri_reloader -p /etc/suricata/rules -l /var/log/suri-reload.log -D

shows just one process

[Peter Manev]

On Wed, Jun 15, 2016 at 1:13 PM, <emre....@btpsec.com> wrote:
> There is no suricata.pid file under /var/run/lock, /var/run/suricata
> (actually under /var/run)
>

yes - remove the one under /var/run and try restarting the process.

Can you please share the suricata.log on pastebin if ok?

[emre....@btpsec.com]

Still same error.

[Peter Manev]

On Wed, Jun 15, 2016 at 2:32 PM, <emre....@btpsec.com> wrote:
> Still same error.
>

Have you made any changes to the original start line or suricata.yaml?

[emre....@btpsec.com]

I have not changed /etc/init.d/suricata file, but suricata.yaml.

I have planted a new NIC card for listening span traffic.

Then I configured the NIC card according to the tutorial (Initial Setup Network card (NIC) setup).

Then change all eth0 in suricata.yaml to eth1.

The last one is that unix-command enabled: yes

Thats all

[Peter Manev]

On Wed, Jun 15, 2016 at 3:47 PM, <emre....@btpsec.com> wrote:
>
> I have not changed /etc/init.d/suricata file, but suricata.yaml.
>
> I have planted a new NIC card for listening span traffic.
> Then I configured the NIC card according to the tutorial (Initial Setup
> Network card (NIC) setup).
> Then change all eth0 in suricata.yaml to eth1.
> The last one is that unix-command enabled: yes
> Thats all

Can you please send me your suricata.yaml?

[emre....@btpsec.com]

Attached.

[Peter Manev]

On Wed, Jun 15, 2016 at 4:53 PM, <emre....@btpsec.com> wrote:
>
> Attached.

Thank you
What is the output of :
ll -lh /var/log/suricata/

?

[emre....@btpsec.com]

-rw-r--r-- 1 root root  63M Jun 15 13:09 eve.json

-rw-r--r-- 1 root root 626K Jun 15 13:08 fast.log

-rw-r--r-- 1 root root 2.1M Jun 15 13:09 stats.log

-rw-r--r-- 1 root root 2.4K Jun 15 19:59 suricata.log

-rw-r--r-- 1 root root 2.4K Jun 15 19:59 suricata-start.log

[Peter Manev]

On Wed, Jun 15, 2016 at 5:58 PM, <emre....@btpsec.com> wrote:
> -rw-r--r-- 1 root root 63M Jun 15 13:09 eve.json
> -rw-r--r-- 1 root root 626K Jun 15 13:08 fast.log
> -rw-r--r-- 1 root root 2.1M Jun 15 13:09 stats.log
> -rw-r--r-- 1 root root 2.4K Jun 15 19:59 suricata.log
> -rw-r--r-- 1 root root 2.4K Jun 15 19:59 suricata-start.log
>

It seems you have missing or have removed needed config directories.
It should like like so:

root@SELKS:~# ll -lh /var/log/suricata/
total 9.3M
drwxr-xr-x 2 logstash logstash 4.0K Apr 8 04:31 certs
drwxr-xr-x 2 logstash logstash 4.0K Apr 8 04:31 core
-rw-r----- 1 logstash logstash 8.3M Jun 15 16:44 eve.json
-rw-r----- 1 logstash logstash 47K Jun 15 16:44 fast.log
drwxr-xr-x 2 logstash logstash 4.0K Apr 8 04:31 files
drwxr-xr-x 2 logstash logstash 4.0K Apr 8 06:13 StatsByDate
-rw-r----- 1 logstash logstash 806K Jun 15 16:44 stats.log
-rw-r--r-- 1 root root 46K Jun 15 16:44 suricata.log
-rw-r--r-- 1 root root 2.2K Jun 15 16:07 suricata-start.log
root@SELKS:~#

[emre....@btpsec.com]

Unfortunately, this is due to the mistake in the wiki: https://github.com/StamusNetworks/SELKS/wiki/Reset-stats-and-logs

It says rm /var/log/suricata/* to clear suricata logs.

But it also deletes other files that you mention.

This is more convenient

for log in `ls /var/log/suricata/*.log`

do

        echo -n "" > $log

done

[Peter Manev]

On Mon, Jul 25, 2016 at 3:58 PM, <emre....@btpsec.com> wrote:
> Unfortunately, this is due to the mistake in the wiki:

Is it not related to permissions?

eve.json needs to be owned by the user logstash (as the suricata
process uses it to run under the user logstash) - in your case it was
owned by the user root i think.