stamusnetworks / selks Goto Github PK
View Code? Open in Web Editor NEWA Suricata based IDS/IPS/NSM distro
Home Page: https://www.stamus-networks.com/open-source/#selks
License: GNU General Public License v3.0
A Suricata based IDS/IPS/NSM distro
Home Page: https://www.stamus-networks.com/open-source/#selks
License: GNU General Public License v3.0
hey I tried to run suricata as IPS on my machine I have 3 nic so I want to use 2 nic as bridge and the 3rd as management port but selks read only two nic so I get it up using ifconfig eth2 up but seems eht2 not getting ip it's like a sniff port which will not let me do bridge mode because I want my traffic being monitored using suricata IPS from wan---->lan, and vice versa is there anyone can help me please thanks
Can someone please help me out with this please?
OperationalError at /suricata/
no such column: rules_rule.state_in_source
Request Method: GET
Request URL: https://192.168.6.27/suricata/
Django Version: 1.8.7
Exception Type: OperationalError
Exception Value:
no such column: rules_rule.state_in_source
Exception Location: /usr/local/lib/python2.7/dist-packages/django/db/backends/sqlite3/base.py in execute, line 318
Python Executable: /usr/bin/python
Python Version: 2.7.9
Python Path:
['/usr/local/lib/python2.7/dist-packages/git/ext/gitdb',
'/opt/selks/scirius',
'/usr/lib/python2.7',
'/usr/lib/python2.7/plat-x86_64-linux-gnu',
'/usr/lib/python2.7/lib-tk',
'/usr/lib/python2.7/lib-old',
'/usr/lib/python2.7/lib-dynload',
'/usr/local/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages/gtk-2.0',
'/usr/lib/pymodules/python2.7',
'/usr/local/lib/python2.7/dist-packages/gitdb/ext/smmap']
Server time: Mon, 29 Feb 2016 18:46:57 +0000
---------------Traceback-----------------------------
Environment:
Request Method: GET
Request URL: https://192.168.6.27/suricata/
Django Version: 1.8.7
Python Version: 2.7.9
Installed Applications:
('django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'django_tables2',
'bootstrap3',
'rules',
'suricata',
'accounts',
'revproxy')
Installed Middleware:
('django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'scirius.loginrequired.LoginRequiredMiddleware',
'scirius.utils.TimezoneMiddleware')
Traceback:
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py" in get_response
response = wrapped_callback(request, _callback_args, *_callback_kwargs)
supp_rules = list(suri.ruleset.suppressed_rules.all())
self._fetch_all()
self._result_cache = list(self.iterator())
results = compiler.execute_sql()
cursor.execute(sql, params)
return super(CursorDebugWrapper, self).execute(sql, params)
return self.cursor.execute(sql, params)
six.reraise(dj_exc_type, dj_exc_value, traceback)
return self.cursor.execute(sql, params)
return Database.Cursor.execute(self, query, params)
Exception Type: OperationalError at /suricata/
Exception Value: no such column: rules_rule.state_in_source
hey syslog, kern.log, and messages increasing in insane way 400GB filled into couple of hourse! I just checked them and what I saw same message which's
kernel :device eth2 left promiscuous mode
kernel : device eth2 enter promiscuous mode
till hard disk is full
I upgraded the server using apt-get update && apt-get upgrade. After the upgrade, I'm receiving this message on the web console:
ImproperlyConfigured at /rules/
Error importing module django.template.context_processors: "No module named context_processors"
Request Method: GET
Request URL: https://cohids.hutchgov.com/rules/
Django Version: 1.6.6
Exception Type: ImproperlyConfigured
Exception Value:
Error importing module django.template.context_processors: "No module named context_processors"
Exception Location: /usr/local/lib/python2.7/dist-packages/django/utils/importlib.py in import_module, line 40
Python Executable: /usr/bin/python
Python Version: 2.7.10
Python Path:
['/opt/selks/scirius',
'/usr/lib/python2.7/site-packages',
'/',
'/usr/lib/python2.7',
'/usr/lib/python2.7/plat-x86_64-linux-gnu',
'/usr/lib/python2.7/lib-tk',
'/usr/lib/python2.7/lib-old',
'/usr/lib/python2.7/lib-dynload',
'/usr/local/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages',
'/usr/lib/pymodules/python2.7',
'/usr/local/lib/python2.7/dist-packages/git/ext/gitdb',
'/usr/local/lib/python2.7/dist-packages/gitdb/ext/smmap']
Server time: Tue, 9 Feb 2016 20:54:49 +0000
Traceback Switch to copy-and-paste view
/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py in get_response
response = wrapped_callback(request, _callback_args, *_callback_kwargs) ...
▶ Local vars
/opt/selks/scirius/rules/views.py in index
return scirius_render(request, 'rules/index.html', context) ...
▶ Local vars
/opt/selks/scirius/scirius/utils.py in scirius_render
return render(request, template, context) ...
▶ Local vars
/usr/local/lib/python2.7/dist-packages/django/shortcuts/init.py in render
context_instance = RequestContext(request, current_app=current_app) ...
▶ Local vars
/usr/local/lib/python2.7/dist-packages/django/template/context.py in init
for processor in get_standard_processors() + processors: ...
▶ Local vars
/usr/local/lib/python2.7/dist-packages/django/template/context.py in get_standard_processors
func = import_by_path(path) ...
▶ Local vars
/usr/local/lib/python2.7/dist-packages/django/utils/module_loading.py in import_by_path
sys.exc_info()[2]) ...
▶ Local vars
/usr/local/lib/python2.7/dist-packages/django/utils/module_loading.py in import_by_path
module = import_module(module_path) ...
▶ Local vars
/usr/local/lib/python2.7/dist-packages/django/utils/importlib.py in import_module
import(name) ...
▶ Local vars
Request information
I've posted the complete error over at Pastebin: http://pastebin.com/NycXUeGD
Hi,
Is there a way to easily reset all stats/logs/alerts on SELKS?
I want to keep any custom config, but would like to start afresh with all the stats from the different dashboard.
Also, as I am running a VM, this would be useful to reset "captured" data before taking a snashpot so it reduces the size of the snaptop.
Cheers,
B.
I would like to deploy multiple IDS managed from single place. It would be great if SELKS allows for partial installations (or roles) so I can choose to install:
Not sure where Scirius belongs in this case, probably 1st point if it uses direct access to config files for management (and 2nd if remote access is supported).
Hey,
there are a couple of issues with user management in the selks 3.0 release
Given this deep link:
https://1.2.3.4./accounts/manage/user/1/delete?confirm=1
the account deletion would happen without further confirmation.
Best practice is to ask for the account credentials (password) again, when performing such actions. Same for password changes. The old PW is issued, and then the new one 2x for confirmation.
Best,
Marius
When running the following script to install Oracle:
/opt/selks/Scripts/Java/setup-oracle-java_stamus.sh
The following error occurs:
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
libc6-dev : Depends: libc6 (= 2.19-18+deb8u3) but 2.19-18+deb8u4 is to be installed
E: Unable to correct problems, you have held broken packages.
I followed the SELKS Upgrades thinking the installed packages were out of date, but that was not the case.
Hello!
How to make 32-bit distro SELKS?
For various security updates in elasticsearch and logstash since the 1.x major release the repositories configured in staging/etc/apt/sources.list.d/elasticsearch.list should be updated if there are no breaking changes in the frontend packages for scirius or other depending software in SELKS.
very painful for LiveCD, after start you need to edit /etc/ssh/sshd_config to change PasswordAuthentication
to yes and restart ssh
You made me realize that I did not know what I wanted to do ;-)
In fact, what I want to do is to modify the ALERTS dashboard so it excludes some of the events. Any tutorials you could recommend ?
Thanks,
I got desktop environment corrupted after dist-upgrade and what I see that selks run LXDE so when I tried to login with the user it's just lof me off directly while I can login through CLI and using root I can run through GUI and CLI, and when I tried to acess user settings just stay loading and not working any suggestions? thanks.
Hi all,
I have trouble ssh to the Selks host.
Followed instructions from here :
http://steronius.blogspot.com/2014/10/ssh-no-matching-cipher-found.html
Solved most of the issue, but:
I'm getting this error when I tried to run it
Starting Scirius Django FastCGI servers: sciriusTraceback (most recent call last):
File "/opt/selks//scirius/manage.py", line 10, in
execute_from_command_line(sys.argv)
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/core/management/init.py", line 443, in execute_from_command_line
utility.execute()
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/core/management/init.py", line 382, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/core/management/base.py", line 196, in run_from_argv
self.execute(_args, *_options.dict)
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/core/management/base.py", line 231, in execute
self.validate()
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/core/management/base.py", line 266, in validate
num_errors = get_validation_errors(s, app)
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/core/management/validation.py", line 30, in get_validation_errors
for (app_name, error) in get_app_errors().items():
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/db/models/loading.py", line 158, in get_app_errors
self._populate()
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/db/models/loading.py", line 64, in _populate
self.load_app(app_name, True)
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/db/models/loading.py", line 88, in load_app
models = import_module('.models', app_name)
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/utils/importlib.py", line 35, in import_module
import(name)
File "/opt/selks/scirius/rules/models.py", line 72, in
class Source(models.Model):
File "/opt/selks/scirius/rules/models.py", line 319, in Source
@transaction.atomic
AttributeError: 'module' object has no attribute 'atomic'
Hi,
Not so much an issue, but a limitation.
With the current SELKS installation/Setup, you do not get a chance to select your monitoring interface.
In most cases you will have 1 NIC for maintenance and 1 NIC for monitoring (and receiving your TAP traffic).
By default SELKS assumes your monitoring NIC is eth0
it then adds eth1 as an extra NIC to monitor.
The problem is that in most cases eth0 will be your maintenance NIC not your monitoring NIC.
So yes, you can just edit /etc/suricata/suricata.yaml and replace all eth0 with whatever is your monitoring NIC...
But here is the problem... when you update SELKS you sometimes get a new version of suricata.yaml and it is much easier to accept an overwrite with the new version (i.e.: recently there were new options added with SMTP).
In the end, I found it less prone to error to change my monitoring NIC to eth0.
But really, it would be great if at setup you are being asked to specify what is your monitoring NIC (s) and what is your maintenance NIC (that you don't want polluting your data).
And for that setting to be remembered, so next time you update SELKS and a new suricata.yaml file gets updated it would regenerate a correct suricata.yaml relevant to your system.
I'll drink to that :)
S.
The proposed live-build command:
sudo ./build-debian-live.sh -g no-desktop
fails with the following message for the scirius package:
Unpacking scirius (1.1.5-1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u3) ...
Setting up dbconfig-common (1.8.47+nmu3+deb8u1) ...
Creating config file /etc/dbconfig-common/config with new version
Setting up kibana-dashboards-stamus (2015052202) ...
All runlevel operations denied by policy
invoke-rc.d: policy-rc.d denied execution of start.
Setting up python-psutil (2.1.1-2) ...
Setting up python-tz (2012c+dfsg-0.1) ...
Setting up sqlite3 (3.8.7.1-1+deb8u1) ...
Setting up scirius (1.1.5-1) ...
dbconfig-common: writing config to /etc/dbconfig-common/scirius.conf
Creating config file /etc/dbconfig-common/scirius.conf with new version
creating database db.sqlite3: success.
verifying database db.sqlite3 exists: success.
populating database via scriptfile... Traceback (most recent call last):
File "manage.py", line 10, in <module>
execute_from_command_line(sys.argv)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 354, in execute_from_command_line
utility.execute()
File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 328, in execute
django.setup()
File "/usr/local/lib/python2.7/dist-packages/django/__init__.py", line 18, in setup
apps.populate(settings.INSTALLED_APPS)
File "/usr/local/lib/python2.7/dist-packages/django/apps/registry.py", line 85, in populate
app_config = AppConfig.create(entry)
File "/usr/local/lib/python2.7/dist-packages/django/apps/config.py", line 86, in create
module = import_module(entry)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File "/usr/local/lib/python2.7/dist-packages/django_tables2/__init__.py", line 2, in <module>
from .tables import Table
File "/usr/local/lib/python2.7/dist-packages/django_tables2/tables.py", line 15, in <module>
from . import columns
File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/__init__.py", line 1, in <module>
from .base import library, BoundColumn, BoundColumns, Column
File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/base.py", line 10, in <module>
from django_tables2.utils import Accessor, AttributeDict, OrderBy, OrderByTuple
File "/usr/local/lib/python2.7/dist-packages/django_tables2/utils.py", line 111, in <module>
@six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute 'python_2_unicode_compatible'
Traceback (most recent call last):
File "manage.py", line 10, in <module>
execute_from_command_line(sys.argv)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 354, in execute_from_command_line
utility.execute()
File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 328, in execute
django.setup()
File "/usr/local/lib/python2.7/dist-packages/django/__init__.py", line 18, in setup
apps.populate(settings.INSTALLED_APPS)
File "/usr/local/lib/python2.7/dist-packages/django/apps/registry.py", line 85, in populate
app_config = AppConfig.create(entry)
File "/usr/local/lib/python2.7/dist-packages/django/apps/config.py", line 86, in create
module = import_module(entry)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File "/usr/local/lib/python2.7/dist-packages/django_tables2/__init__.py", line 2, in <module>
from .tables import Table
File "/usr/local/lib/python2.7/dist-packages/django_tables2/tables.py", line 15, in <module>
from . import columns
File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/__init__.py", line 1, in <module>
from .base import library, BoundColumn, BoundColumns, Column
File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/base.py", line 10, in <module>
from django_tables2.utils import Accessor, AttributeDict, OrderBy, OrderByTuple
File "/usr/local/lib/python2.7/dist-packages/django_tables2/utils.py", line 111, in <module>
@six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute 'python_2_unicode_compatible'
Traceback (most recent call last):
File "manage.py", line 10, in <module>
execute_from_command_line(sys.argv)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 354, in execute_from_command_line
utility.execute()
File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 328, in execute
django.setup()
File "/usr/local/lib/python2.7/dist-packages/django/__init__.py", line 18, in setup
apps.populate(settings.INSTALLED_APPS)
File "/usr/local/lib/python2.7/dist-packages/django/apps/registry.py", line 85, in populate
app_config = AppConfig.create(entry)
File "/usr/local/lib/python2.7/dist-packages/django/apps/config.py", line 86, in create
module = import_module(entry)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File "/usr/local/lib/python2.7/dist-packages/django_tables2/__init__.py", line 2, in <module>
from .tables import Table
File "/usr/local/lib/python2.7/dist-packages/django_tables2/tables.py", line 15, in <module>
from . import columns
File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/__init__.py", line 1, in <module>
from .base import library, BoundColumn, BoundColumns, Column
File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/base.py", line 10, in <module>
from django_tables2.utils import Accessor, AttributeDict, OrderBy, OrderByTuple
File "/usr/local/lib/python2.7/dist-packages/django_tables2/utils.py", line 111, in <module>
@six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute 'python_2_unicode_compatible'
Traceback (most recent call last):
File "manage.py", line 10, in <module>
execute_from_command_line(sys.argv)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 354, in execute_from_command_line
utility.execute()
File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 328, in execute
django.setup()
File "/usr/local/lib/python2.7/dist-packages/django/__init__.py", line 18, in setup
apps.populate(settings.INSTALLED_APPS)
File "/usr/local/lib/python2.7/dist-packages/django/apps/registry.py", line 85, in populate
app_config = AppConfig.create(entry)
File "/usr/local/lib/python2.7/dist-packages/django/apps/config.py", line 86, in create
module = import_module(entry)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File "/usr/local/lib/python2.7/dist-packages/django_tables2/__init__.py", line 2, in <module>
from .tables import Table
File "/usr/local/lib/python2.7/dist-packages/django_tables2/tables.py", line 15, in <module>
from . import columns
File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/__init__.py", line 1, in <module>
from .base import library, BoundColumn, BoundColumns, Column
File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/base.py", line 10, in <module>
from django_tables2.utils import Accessor, AttributeDict, OrderBy, OrderByTuple
File "/usr/local/lib/python2.7/dist-packages/django_tables2/utils.py", line 111, in <module>
@six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute 'python_2_unicode_compatible'
/
done.
Traceback (most recent call last):
File "manage.py", line 10, in <module>
execute_from_command_line(sys.argv)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 354, in execute_from_command_line
utility.execute()
File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 328, in execute
django.setup()
File "/usr/local/lib/python2.7/dist-packages/django/__init__.py", line 18, in setup
apps.populate(settings.INSTALLED_APPS)
File "/usr/local/lib/python2.7/dist-packages/django/apps/registry.py", line 85, in populate
app_config = AppConfig.create(entry)
File "/usr/local/lib/python2.7/dist-packages/django/apps/config.py", line 86, in create
module = import_module(entry)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File "/usr/local/lib/python2.7/dist-packages/django_tables2/__init__.py", line 2, in <module>
from .tables import Table
File "/usr/local/lib/python2.7/dist-packages/django_tables2/tables.py", line 15, in <module>
from . import columns
File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/__init__.py", line 1, in <module>
from .base import library, BoundColumn, BoundColumns, Column
File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/base.py", line 10, in <module>
from django_tables2.utils import Accessor, AttributeDict, OrderBy, OrderByTuple
File "/usr/local/lib/python2.7/dist-packages/django_tables2/utils.py", line 111, in <module>
@six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute 'python_2_unicode_compatible'
dpkg: error processing package scirius (--configure):
subprocess installed post-installation script returned error exit status 1
Processing triggers for systemd (215-17+deb8u3) ...
Errors were encountered while processing:
scirius
E: Sub-process /usr/bin/dpkg returned an error code (1)
E: config/hooks/chroot-inside-Debian-Live.chroot failed (exit non-zero). You should check for errors.
P: Begin unmounting filesystems...
P: Saving caches...
Reading package lists...
Building dependency tree...
Reading state information...
mv: der Aufruf von stat für „live-image-amd64.hybrid.iso“ ist nicht möglich: Datei oder Verzeichnis nicht gefunden
this is probably and issue with python-six and/or python-django versions available in the chroot. Adding python-six to the build-debian-live.sh in line 308 did not help.
Hello,
First of all, sorry for my basic english ^^
I just installed SELKS, thx guys I tried so many times to install ES+Logstash+Kibana and Suricata and didn't work ... With SELKS it's magic ! But I just want add to the same configuration prelude support, because I will install on the same machine Prewikka with Prelude-IDS.
How can I install prelude support on Suricata without corrupt the actual configuration ?
Hi!
First thank you for this amazing project!
I'm wandering if there any reason why do you still use kibana 3 in SELKS distro? And are there any ways to upgrade Kibana from 3 to 4 version in the distro?
Unescaped percent signs are converted into new-lines when used in a cron command line,
so the documentation here is wrong : https://github.com/StamusNetworks/SELKS/wiki/Data-lifecycle
I mean, okay it works from command line, but not from cron.
Maybe an (untested) fix would be :
--timestring '\%Y.\%m.\%d'
Hi!
I just install the suricataIDPS on my system,and after that I run the pytbull to have a few test of this system,I updated the latest rules with oinkmaster,but the test result shows that there's no shellcodes,fragmentedPackets detection,in fact 60% results are 'no detection'. I followed the documentation to set up the suricata , and I check the rules file there's a rule called 'emerging-shellcodes' , and I also uncommented all the rules in suricata.yaml , I have no idea what to do next...
Any help? ..
Thanks!
bootstrap.mlockall: true
is not uncommented as expected by the script in the elasticsearch.yaml
There is the same issue with the uncommenting of "discovery"
Errors and tracebacks from master. Built on Wheezy. Need a full build log?
Setting up scirius (0.8-1) ...^M
dbconfig-common: writing config to /etc/dbconfig-common/scirius.conf^M
^M
Creating config file /etc/dbconfig-common/scirius.conf with new version^M
creating database db.sqlite3: success.^M
verifying database db.sqlite3 exists: success.^M
populating database via scriptfile... Syncing...^M
Traceback (most recent call last):^M
File "manage.py", line 10, in ^M
execute_from_command_line(sys.argv)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 385, in execute_from_command_line^M
utility.execute()^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 377, in execute^M
self.fetch_command(subcommand).run_from_argv(self.argv)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 288, in run_from_argv^M
self.execute(_args, *_options.dict)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 338, in execute^M
output = self.handle(_args, _options)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 533, in handle^M
return self.handle_noargs(_options)^M
File "/usr/local/lib/python2.7/dist-packages/south/management/commands/syncdb.py", line 82, in handle_noargs^M
old_app_store, cache.app_store = cache.app_store, SortedDict([^M
AttributeError: 'Apps' object has no attribute 'app_store'^M
Traceback (most recent call last):^M
File "manage.py", line 10, in ^M
execute_from_command_line(sys.argv)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 385, in execute_from_command_line^M
utility.execute()^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 377, in execute^M
self.fetch_command(subcommand).run_from_argv(self.argv)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 288, in run_from_argv^M
self.execute(_args, *_options.dict)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 338, in execute^M
output = self.handle(_args, **options)^M
File "/usr/local/lib/python2.7/dist-packages/south/management/commands/migrate.py", line 111, in handle^M
ignore_ghosts = ignore_ghosts,^M
File "/usr/local/lib/python2.7/dist-packages/south/migration/init.py", line 200, in migrate_app^M
applied_all = check_migration_histories(applied_all, delete_ghosts, ignore_ghosts)^M
File "/usr/local/lib/python2.7/dist-packages/south/migration/init.py", line 79, in check_migration_histories^M
for h in histories:^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 141, in iter^M
self._fetch_all()^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 966, in _fetch_all^M
self._result_cache = list(self.iterator())^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 265, in iterator^M
for row in compiler.results_iter():^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/sql/compiler.py", line 700, in results_iter^M
for rows in self.execute_sql(MULTI):^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/sql/compiler.py", line 786, in execute_sql^M
cursor.execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 81, in execute^M
return super(CursorDebugWrapper, self).execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 65, in execute^M
return self.cursor.execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/utils.py", line 94, in exit^M
six.reraise(dj_exc_type, dj_exc_value, traceback)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 65, in execute^M
return self.cursor.execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/sqlite3/base.py", line 485, in execute^M
return Database.Cursor.execute(self, query, params)^M
django.db.utils.OperationalError: no such table: south_migrationhistory^M
Traceback (most recent call last):^M
File "manage.py", line 10, in ^M
execute_from_command_line(sys.argv)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 385, in execute_from_command_line^M
utility.execute()^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 377, in execute^M
self.fetch_command(subcommand).run_from_argv(self.argv)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 288, in run_from_argv^M
self.execute(_args, *_options.dict)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 338, in execute^M
output = self.handle(_args, *_options)^M
File "/usr/local/lib/python2.7/dist-packages/south/management/commands/migrate.py", line 111, in handle^M
ignore_ghosts = ignore_ghosts,^M
File "/usr/local/lib/python2.7/dist-packages/south/migration/init.py", line 200, in migrate_app^M
applied_all = check_migration_histories(applied_all, delete_ghosts, ignore_ghosts)^M
File "/usr/local/lib/python2.7/dist-packages/south/migration/init.py", line 79, in check_migration_histories^M
for h in histories:^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 141, in iter^M
self._fetch_all()^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 966, in _fetch_all^M
self._result_cache = list(self.iterator())^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 265, in iterator^M
for row in compiler.results_iter():^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/sql/compiler.py", line 700, in results_iter^M
for rows in self.execute_sql(MULTI):^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/sql/compiler.py", line 786, in execute_sql^M
cursor.execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 81, in execute^M
return super(CursorDebugWrapper, self).execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 65, in execute^M
return self.cursor.execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/utils.py", line 94, in exit^M
six.reraise(dj_exc_type, dj_exc_value, traceback)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 65, in execute^M
return self.cursor.execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/sqlite3/base.py", line 485, in execute^M
return Database.Cursor.execute(self, query, params)^M
django.db.utils.OperationalError: no such table: south_migrationhistory^M
/usr/local/lib/python2.7/dist-packages/django/db/models/fields/init.py:1278: RuntimeWarning: DateTimeField Source.created_date received a naive datetime (2014-09-04 08:49:14.821104) while time zone support is active.
RuntimeWarning)
Traceback (most recent call last):
File "manage.py", line 10, in
execute_from_command_line(sys.argv)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 385, in execute_from_command_line
utility.execute()
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 377, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 288, in run_from_argv
self.execute(_args, *_options.dict)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 338, in execute
output = self.handle(_args, *_options)
File "/opt/selks/scirius/rules/management/commands/addsource.py", line 40, in handle
datatype = datatype)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/manager.py", line 92, in manager_method
return getattr(self.get_queryset(), name)(_args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 372, in create
obj.save(force_insert=True, using=self.db)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/base.py", line 590, in save
force_update=force_update, update_fields=update_fields)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/base.py", line 618, in save_base
updated = self._save_table(raw, cls, force_insert, force_update, using, update_fields)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/base.py", line 699, in _save_table
result = self._do_insert(cls._base_manager, using, fields, update_pk, raw)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/base.py", line 732, in _do_insert
using=using, raw=raw)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/manager.py", line 92, in manager_method
return getattr(self.get_queryset(), name)(_args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 921, in _insert
return query.get_compiler(using=using).execute_sql(return_id)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/sql/compiler.py", line 920, in execute_sql
cursor.execute(sql, params)
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 81, in execute
return super(CursorDebugWrapper, self).execute(sql, params)
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 65, in execute
return self.cursor.execute(sql, params)
File "/usr/local/lib/python2.7/dist-packages/django/db/utils.py", line 94, in exit
six.reraise(dj_exc_type, dj_exc_value, traceback)
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 65, in execute
return self.cursor.execute(sql, params)
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/sqlite3/base.py", line 485, in execute
return Database.Cursor.execute(self, query, params)
django.db.utils.OperationalError: no such table: rules_source
E: config/hooks/chroot-inside-Debian-Live.chroot failed (exit non-zero). You should check for errors.
Hey guys,
Thank you for providing SELKS. I really like it and I have been playing with the 3.0 RC1 build and have noticed a problem with Elasticsearch not wanting to start after running apt-get update && upgrade and now getting "Unable to get data from Elasticsearch" in Scirius and also have lost all of the functionality of Kibana and EveBox since the update.
Before running the update I was observing that it was very sluggish and would often make Kibana time out when performing queries and wasn't able to search Events in EveBox.
Can you guys help me back up and running?
Having live iso is excellent but since it's Debian-based I'd like to be able to bring my own Debian system installed into container up to speed with SELKS by plugging appropriate repositories and running update.
That would be very useful because it allows to support all the virtualisation solutions out there without bothering making images or instructions for each one of them.
During the live-build process the following gpg pubkeys are not verified:
W: GPG error: http://dl.bintray.com jessie Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5BCF00E8E6530A4A
W: GPG error: http://packages.stamus-networks.com jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 83FC65E703FC3237
W: GPG error: http://packages.elasticsearch.org stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D27D666CD88E42B4
it would be a good idea to include them during the build process to have a proper package verification.
I wanted to make elasticsearch status green on single-node.
Here's what I did :
leafpad /etc/elasticsearch/elasticsearch.yml
Uncomment :
index.number_of_shards: 1
index.number_of_replicas: 0
curl -XDELETE 'http://localhost:9200/_all'
Now it's green allright. The curl command was a little brutal; all I miss are the dashboards in the "Stamus" menu, I do I bring them back ? I will re-customize.
Also, a curl command that clears the unassigned shards without killing everything else would not be a bad idea :P
Hello,
I'm a new user using SELKS in production and I'm just discovering Kibana dashboads.
I can see other flow but I'm surprised not to see any SMTP logs in this dashboard:
https://myselkserver/log/#/dashboard/elasticsearch/SMTP
It's a fresh install and this tuto has already been followed and aplicated:
https://github.com/StamusNetworks/SELKS/wiki/Running-SELKS-in-production
I surrely missed something, but what ?
Explore the 1.6.6 dependency and find a possible solution for negating it -
https://github.com/StamusNetworks/SELKS/blob/master/staging/config/hooks/chroot-inside-Debian-Live.chroot#L23
On a fresh install of SELKS, doing an application of ruleset like the following result in a failure:
Reported by Victor Julien aka @inliniac
per the read me here
If you wish to remotely (from a different PC on your network) access the dashboards you could do that as follows (in your browser):
https://your.selks.IP.here/rules/ - Scirius ruleset management
*https://your.selks.IP.here/log/ *- Kibana and click the folder icon for a list of dashboards
You need to authenticate to access to the web interface. The default user/password is the same as for local access: selks-user/selks-user. Don't forget to change credentials at first login. You can do that by going to Account settings in the top left dropdown menu of Scirius.
We tried the bold section to access kibana from remote box, but it failed with
Page not found (404)
Request Method: GET
Request URL: https://10.65.104.182/log
Using the URLconf defined in scirius.urls, Django tried these URL patterns, in this order:
^admin/
^rules/
^accounts/
^suricata/
^$
^(?P<path>app/kibana.*)$
^(?P<path>timelion/.*)$
^(?P<path>bundles/.*)$
^kibana/(?P<path>.*)$
^elasticsearch/(?P<path>.*)$
^evebox/(?P<path>.*)$
The current URL, log, didn't match any of these.
We have authenticate with the default credential what else we missed?
Thanks!
Logstash takes src_ip or dest_ip for Geo location which is fine for other protocols, but it should take [dns.rdata] for DNS as scr_ip could be local DNS IP.
MISP is a platform to echange IOCs.
It would be great to have integration with it, more specifically to download the MD5 from MISP, and then search for those in the ELK.
MISP has a key-authenticated REST API available.
Existing MISP data types that might be of interest to be used for lookups: ip, hostname, url, filename, mutex, email, user-agent, email subject, email attachment. New data types to be implemented in the future: URI-regexp, filename-regexp, SSL certificates attributes.
I can arrange access to a MISP instance hosting IOCs if you need it for testing.
With PR #49 evebox is now bound to localhost. The following change is required in /etc/scirius/local_settings.py but I could not find the original source for this:
diff -u /etc/scirius/local_settings.py.orig etc/scirius/local_settings.py
--- /etc/scirius/local_settings.py.orig 2016-07-11 10:22:26.466937756 -0500
+++ etc/scirius/local_settings.py 2016-07-11 10:22:33.950948651 -0500
@@ -31,7 +31,7 @@
#SURICATA_UNIX_SOCKET = "/var/run/suricata/suricata-command.socket"
USE_EVEBOX = True
-EVEBOX_ADDRESS = "selks:5636"
+EVEBOX_ADDRESS = "localhost:5636"
USE_SURICATA_STATS = True
USE_LOGSTASH_STATS = True
This also prevents being taken to the wrong SELKS instance in the case of issue #48.
Hi,
Is there any way to change the colours of the alert severity in the ALERT dashboard (ALERT SEVERITY)?
Right now I have Severity one showing as green, Severity two as blue and severity 2 as orange...
A more standard Red, Orange, Green would make it easier to understand the graph.
Or at least having some king of logic in the colours, severe = red, not important = green/blue
(unless there is already a logic I missed :)
I wouldn't see any options to change the colours, so I am wondering if there is any way to change that?
Thanks,
B.
when I try to delete added source I get django error and scirius crashed it seems source deleted from DB but still in scirius
DoesNotExist at /rules/source/18/delete
SourceAtVersion matching query does not exist.
Request Method: POST
Request URL: https://hq-ips/rules/source/18/delete
Django Version: 1.8.4
Exception Type: DoesNotExist
Exception Value:
SourceAtVersion matching query does not exist.
Exception Location: /usr/local/lib/python2.7/dist-packages/django/db/models/query.py in get, line 334
Python Executable: /usr/bin/python
Python Version: 2.7.9
Python Path:
['/usr/local/lib/python2.7/dist-packages/git/ext/gitdb',
'/opt/selks/scirius',
'/usr/lib/python2.7',
'/usr/lib/python2.7/plat-x86_64-linux-gnu',
'/usr/lib/python2.7/lib-tk',
'/usr/lib/python2.7/lib-old',
'/usr/lib/python2.7/lib-dynload',
'/usr/local/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages/gtk-2.0',
'/usr/lib/pymodules/python2.7',
'/usr/local/lib/python2.7/dist-packages/gitdb/ext/smmap']
Hi, I am using Selks 2.1, right now I had some difficulties to view data on Scirius.
I can view data in Kibana, but the Scirius did not show any data about Suricata (Alert Activity, Rules Activity, Capture Stats, Memory Usage, Problem indicators)
Hopefully someone can help pointing out what I am missing. Thanks.
Hi there, new to Selks, bare with me.
I would like to change some event(s) from "alert" so something else. What is the best way to do that ?
Also, are there stickies in here ? I have found a couple issues that I have solved that I think many people are going to bump into.
Thanks
Michel.
If you configure SELKS to run behind a proxy in a port other than 443 you won't be able to connect to elasticsearch dashboards from kibana because kibana's config.js file has the port number hardcoded.
You should change elasticsearch variable from:
elasticsearch: "https://"+window.location.hostname+":443/elasticsearch",
to
elasticsearch: "/elasticsearch",
I just installed SELKS, but after GRUB loader, it stuck black screen..
Hi,
Is it possible to get automated alerts and summary through emails?
What I am after is:
As plain text would be enough.
The "cherry on the top" would be to also include the timeline graph, so it gives you an idea of when those alert did take place in the day/week/month.
I found this useful as once your NSM is all setup nicely, you can kind of forget about it... and just check that daily email to see what were the top 10 alerts. If for example you see an alert related to a Windows EXE installation file and you have actually updated your windows server that day, then you know you can ignore it.... on the other hand if there was no update that might be the reason to connect to your SELKS environment and investigate further.
Thanks,
B.
Hi Again,
Is it possible to do a basic DNS/WHOIS looking against an IP from the GUI/Dashboard?
When troubleshooting an alert, it is quite useful to be able to have some basic info about the IP (i.e.: who owns it). I can see there is geo location data, which is great, but more useful is info about the owner of that IP!
Is it available already from the dashboard when looking at the different alerts?
Thanks.
B.
The data that is being pushed into ES has the wrong datetime.
I have set the system to PDT timezone, but it inserting data into ES with date from -18 hours earlier.
I'm not sure where the issue is, maybe in suricata or logstash?
I tried setting the system to UTC, and restarting everything. Same issue.
Any suggestions?
Hi there,
I have a 1280x1024 monitor but Selks 2.0 allows me to do only 1024x768.
By following the output of "cvt 1280 1024" I found that the following lines will do what I need, but it does not save.
xrandr --newmode "1280x1024" 109.00 1280 1368 1496 1712 1024 1027 1034 1063 -hsync +vsync
xrandr --addmode VGA1 "1280x1024"
xrandr --output VGA1 --mode "1280x1024"
It swiches to 1280x1024 just fine; in preference -> monitor settings, the newly created resolution 1280x1024 becomes available, it allows me to save (I believe this is lxrandr), but it does not survive a reboot. Attemps to monkey inside /etc/X11/xorg.conf have been unsucessful so far.
If I need to add the 3 xrandr lines into a startup script, what is the best place ?
Thanks.
Hi there,
I installed SELKS 2.0 on 4 different hardware setups so far (2 Intel, 2 AMD). On all of them, the CPU speed was locked to the minimum CPU speed (possibly: power save) speed even if there was heavy CPU load.
What worked for me :
apt-get install cpufreqd
(no other tinkering)
Now, it appears to be "on-demand"
I respecfully suggest that cpufreqd is installed by default on the next selks release.
Not much going on :
selks-user@SELKS:~$ grep -E '^model name|^cpu MHz' /proc/cpuinfo
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 1647.292
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 2037.750
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 2580.960
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 1865.015
Much going on :
selks-user@SELKS:~$ grep -E '^model name|^cpu MHz' /proc/cpuinfo
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 3300.000
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 3300.000
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 3300.000
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 3300.000
Hi,
I just did a apt-get update/upgrade, the last upgrade I did before that was in November 2015.
Everything seems to have worked, it did tell me I had to upgrade my DB which I accepted.
But now, if I go to any URL I get the following error:
(rebooting does not solve the problem)
ImproperlyConfigured at /accounts/login/
Error importing module django.template.context_processors: "No module named context_processors"
Request Method: GET
Request URL: https://selks/accounts/login/
Django Version: 1.6.6
Exception Type: ImproperlyConfigured
Exception Value:
Error importing module django.template.context_processors: "No module named context_processors"
Exception Location: /usr/local/lib/python2.7/dist-packages/django/utils/importlib.py in import_module, line 40
Python Executable: /usr/bin/python
Python Version: 2.7.9
Python Path:
['/usr/local/lib/python2.7/dist-packages/git/ext/gitdb',
'/opt/selks/scirius',
'/usr/lib/python2.7',
'/usr/lib/python2.7/plat-x86_64-linux-gnu',
'/usr/lib/python2.7/lib-tk',
'/usr/lib/python2.7/lib-old',
'/usr/lib/python2.7/lib-dynload',
'/usr/local/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages/gtk-2.0',
'/usr/lib/pymodules/python2.7',
'/usr/local/lib/python2.7/dist-packages/gitdb/ext/smmap']
Server time: Sat, 30 Jan 2016 17:49:21 +0000
Setting the mapping to all scr/dst IP to type "ip" would make more flexible searching (range, network) in IP addresses. Ref: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/mapping-ip-type.html
First I installed SELKS 3.0rc1 in a VM (bridge networking) using the default hostname and all is fine.
Later I created another SELKS VM, but gave this one the hostname of "SELKS-dev". In SELKS-dev (desktop installed), I opened Scirius from the desktop icon which takes me to "https://selks/rules/". This actually took me to my other VM instance with the hostname "SELKS", not the VM I was running.
Navigating to "https://selks-dev/rules/" or "https://localhost/rules" takes me to the correct instance.
Hi,
This is related to the issue I raised on the Suricata github:
https://redmine.openinfosecfoundation.org/issues/1533
Why is rule 2000419 disabled? it does not appear as disabled in Scirius...
Could you please tell me where else it has been disabled? (so I can re-enable it again!)
This is a very useful rule to detect windows update activities on the network and some people, like me, are interested in seeing those events :)
Thanks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.