stamusnetworks / selks Goto Github PK

View Code? Open in Web Editor NEW

1.4K 98.0 278.0 10.69 MB

A Suricata based IDS/IPS/NSM distro

Home Page: https://www.stamus-networks.com/open-source/#selks

License: GNU General Public License v3.0

Shell 97.17% HTML 1.42% Dockerfile 1.41%

suricata network security monitoring management ids ips linux distribution security-monitoring

selks's People

Contributors

Stargazers

Watchers

Forkers

decanio 2xyo noyiba bemonolit triplekill robic spacepenguin pkdavies lengxu securextools bifrozt rrosero2000 jasonish gregorymichaelmeyer d1eg0v noahkunin securityigi mrzed wwwiretap 4sp1r3 cloudxtreme jwoschitz awesome-security sidneywebba alex1528 khanchan amesianx kurobeats drone789 lestums xxoxx maitrenem zhuomingliang austin-taylor ubuntuevangelist schlunsen tidyhuang tkuennen noblexu opexxx yeyingtomorrow kartikeyap ecapuano brandonmreeves iugamarian 101sec btmndkh emmoblin guangbinw warcup 5up3rc vbaone chixsh j4ckzh0u trongtan124 yeahbytes orright noodled sc820 jmckinlay 623665910 r3dfruitrollup mattlk13 gongchengcheng bigbigx reconinfosec mithrilwoodrat jeroen0494 szliuyujie unzhanun huongbn acealchemycyberblaze waterbolik kakuye micsoftvn erdoukki raoulodc darrynza dzhan85 threat-hunting prchiouatchts w1one cloudwafs uncelvel jtibaquira crawc m4rm0k sinsixx jack-l10 clod-moon mallikarjun02 missyoyo benhe119 imulmul techkie mav8140 hhuahao wk0115 stepw66 kenzoawa

selks's Issues

selks reading only two NIC ( Solved Suricata IPS Mode)

hey I tried to run suricata as IPS on my machine I have 3 nic so I want to use 2 nic as bridge and the 3rd as management port but selks read only two nic so I get it up using ifconfig eth2 up but seems eht2 not getting ip it's like a sniff port which will not let me do bridge mode because I want my traffic being monitored using suricata IPS from wan---->lan, and vice versa is there anyone can help me please thanks

Suricata Update Rules Error

Can someone please help me out with this please?

OperationalError at /suricata/

no such column: rules_rule.state_in_source

Request Method: GET
Request URL: https://192.168.6.27/suricata/
Django Version: 1.8.7
Exception Type: OperationalError
Exception Value:

no such column: rules_rule.state_in_source

Exception Location: /usr/local/lib/python2.7/dist-packages/django/db/backends/sqlite3/base.py in execute, line 318
Python Executable: /usr/bin/python
Python Version: 2.7.9
Python Path:

['/usr/local/lib/python2.7/dist-packages/git/ext/gitdb',
'/opt/selks/scirius',
'/usr/lib/python2.7',
'/usr/lib/python2.7/plat-x86_64-linux-gnu',
'/usr/lib/python2.7/lib-tk',
'/usr/lib/python2.7/lib-old',
'/usr/lib/python2.7/lib-dynload',
'/usr/local/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages/gtk-2.0',
'/usr/lib/pymodules/python2.7',
'/usr/local/lib/python2.7/dist-packages/gitdb/ext/smmap']

Server time: Mon, 29 Feb 2016 18:46:57 +0000

---------------Traceback-----------------------------

Environment:

Request Method: GET
Request URL: https://192.168.6.27/suricata/

Django Version: 1.8.7
Python Version: 2.7.9
Installed Applications:
('django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'django_tables2',
'bootstrap3',
'rules',
'suricata',
'accounts',
'revproxy')
Installed Middleware:
('django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'scirius.loginrequired.LoginRequiredMiddleware',
'scirius.utils.TimezoneMiddleware')

Traceback:
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py" in get_response

                response = wrapped_callback(request, _callback_args, *_callback_kwargs)

File "/opt/selks/scirius/suricata/views.py" in index

```
        supp_rules = list(suri.ruleset.suppressed_rules.all())
```
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py" in iter
```
    self._fetch_all()
```
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py" in _fetch_all
```
        self._result_cache = list(self.iterator())
```
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py" in iterator
```
    results = compiler.execute_sql()
```
File "/usr/local/lib/python2.7/dist-packages/django/db/models/sql/compiler.py" in execute_sql
```
        cursor.execute(sql, params)
```
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py" in execute
```
        return super(CursorDebugWrapper, self).execute(sql, params)
```
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py" in execute
```
            return self.cursor.execute(sql, params)
```
File "/usr/local/lib/python2.7/dist-packages/django/db/utils.py" in exit
```
            six.reraise(dj_exc_type, dj_exc_value, traceback)
```
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py" in execute
```
            return self.cursor.execute(sql, params)
```
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/sqlite3/base.py" in execute

    return Database.Cursor.execute(self, query, params)

Exception Type: OperationalError at /suricata/
Exception Value: no such column: rules_rule.state_in_source

syslog increasing too crazy!

hey syslog, kern.log, and messages increasing in insane way 400GB filled into couple of hourse! I just checked them and what I saw same message which's
kernel :device eth2 left promiscuous mode
kernel : device eth2 enter promiscuous mode
till hard disk is full

ImproperlyConfigured at /rules/

I upgraded the server using apt-get update && apt-get upgrade. After the upgrade, I'm receiving this message on the web console:

ImproperlyConfigured at /rules/
Error importing module django.template.context_processors: "No module named context_processors"
Request Method: GET
Request URL: https://cohids.hutchgov.com/rules/
Django Version: 1.6.6
Exception Type: ImproperlyConfigured
Exception Value:
Error importing module django.template.context_processors: "No module named context_processors"
Exception Location: /usr/local/lib/python2.7/dist-packages/django/utils/importlib.py in import_module, line 40
Python Executable: /usr/bin/python
Python Version: 2.7.10
Python Path:
['/opt/selks/scirius',
'/usr/lib/python2.7/site-packages',
'/',
'/usr/lib/python2.7',
'/usr/lib/python2.7/plat-x86_64-linux-gnu',
'/usr/lib/python2.7/lib-tk',
'/usr/lib/python2.7/lib-old',
'/usr/lib/python2.7/lib-dynload',
'/usr/local/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages',
'/usr/lib/pymodules/python2.7',
'/usr/local/lib/python2.7/dist-packages/git/ext/gitdb',
'/usr/local/lib/python2.7/dist-packages/gitdb/ext/smmap']
Server time: Tue, 9 Feb 2016 20:54:49 +0000
Traceback Switch to copy-and-paste view

/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py in get_response
response = wrapped_callback(request, _callback_args, *_callback_kwargs) ...
▶ Local vars
/opt/selks/scirius/rules/views.py in index
return scirius_render(request, 'rules/index.html', context) ...
▶ Local vars
/opt/selks/scirius/scirius/utils.py in scirius_render
return render(request, template, context) ...
▶ Local vars
/usr/local/lib/python2.7/dist-packages/django/shortcuts/init.py in render
context_instance = RequestContext(request, current_app=current_app) ...
▶ Local vars
/usr/local/lib/python2.7/dist-packages/django/template/context.py in init
for processor in get_standard_processors() + processors: ...
▶ Local vars
/usr/local/lib/python2.7/dist-packages/django/template/context.py in get_standard_processors
func = import_by_path(path) ...
▶ Local vars
/usr/local/lib/python2.7/dist-packages/django/utils/module_loading.py in import_by_path
sys.exc_info()[2]) ...
▶ Local vars
/usr/local/lib/python2.7/dist-packages/django/utils/module_loading.py in import_by_path
module = import_module(module_path) ...
▶ Local vars
/usr/local/lib/python2.7/dist-packages/django/utils/importlib.py in import_module
import(name) ...
▶ Local vars
Request information

I've posted the complete error over at Pastebin: http://pastebin.com/NycXUeGD

How to reset all stats/logs/alerts?

Hi,

Is there a way to easily reset all stats/logs/alerts on SELKS?
I want to keep any custom config, but would like to start afresh with all the stats from the different dashboard.

Also, as I am running a VM, this would be useful to reset "captured" data before taking a snashpot so it reduces the size of the snaptop.

Cheers,
B.

distributed install support

I would like to deploy multiple IDS managed from single place. It would be great if SELKS allows for partial installations (or roles) so I can choose to install:

IDS (suricate + logstash)
management host (kibana + elasticsearch)
everything (current variant)

Not sure where Scirius belongs in this case, probably 1st point if it uses direct access to config files for management (and 2nd if remote access is supported).

Secure parameter handling for user management

Hey,

there are a couple of issues with user management in the selks 3.0 release

Given this deep link:

https://1.2.3.4./accounts/manage/user/1/delete?confirm=1

the account deletion would happen without further confirmation.

Best practice is to ask for the account credentials (password) again, when performing such actions. Same for password changes. The old PW is issued, and then the new one 2x for confirmation.

Best,
Marius

Unable to install Oracle Java

When running the following script to install Oracle:

/opt/selks/Scripts/Java/setup-oracle-java_stamus.sh

The following error occurs:

Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libc6-dev : Depends: libc6 (= 2.19-18+deb8u3) but 2.19-18+deb8u4 is to be installed
E: Unable to correct problems, you have held broken packages.

I followed the SELKS Upgrades thinking the installed packages were out of date, but that was not the case.

Make 32-bit distro

Hello!
How to make 32-bit distro SELKS?

Update elasticsearch and logstash packages to the 2.x branches

For various security updates in elasticsearch and logstash since the 1.x major release the repositories configured in staging/etc/apt/sources.list.d/elasticsearch.list should be updated if there are no breaking changes in the frontend packages for scirius or other depending software in SELKS.

ssh password auth is disabled in SELKS-3.0rc1-nodesktop.iso

very painful for LiveCD, after start you need to edit /etc/ssh/sshd_config to change PasswordAuthentication to yes and restart ssh

Excluding events from the ALERTS dashboard was : Changing event type from alert to something else

You made me realize that I did not know what I wanted to do ;-)
In fact, what I want to do is to modify the ALERTS dashboard so it excludes some of the events. Any tutorials you could recommend ?

Thanks,

Desktop Environment Corrupted after dist-upgrade

I got desktop environment corrupted after dist-upgrade and what I see that selks run LXDE so when I tried to login with the user it's just lof me off directly while I can login through CLI and using root I can run through GUI and CLI, and when I tried to acess user settings just stay loading and not working any suggestions? thanks.

Can't ssh to the Selks host

Hi all,

I have trouble ssh to the Selks host.

Linux command-line ssh from another linux box : nothing happens (ctrl-c goes back to the prompt).
Putty from a Windows PC : the following error message "Couldn't agree a client-to-server cipher (available: aes128-ctr, aes192-ctr, aes256-ctr, [email protected], [email protected], [email protected])
IOS command-line from a Cisco router :
c1841-michel#ssh 192.168.222.3
[Connection to 192.168.222.3 aborted: error status 0]
Jun 17 13:49:32.583 PDT: %SSH-3-NO_MATCH: No matching cipher found: client aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc ser
ver aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]

Followed instructions from here :
http://steronius.blogspot.com/2014/10/ssh-no-matching-cipher-found.html
Solved most of the issue, but:

Still can't ssh as root (minor)
Does not work with putty (does work from Cisco and with Bitwise windows ssh client).

Scirius won't start NGINX error 502

I'm getting this error when I tried to run it

Starting Scirius Django FastCGI servers: sciriusTraceback (most recent call last):
File "/opt/selks//scirius/manage.py", line 10, in
execute_from_command_line(sys.argv)
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/core/management/init.py", line 443, in execute_from_command_line
utility.execute()
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/core/management/init.py", line 382, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/core/management/base.py", line 196, in run_from_argv
self.execute(_args, *_options.dict)
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/core/management/base.py", line 231, in execute
self.validate()
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/core/management/base.py", line 266, in validate
num_errors = get_validation_errors(s, app)
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/core/management/validation.py", line 30, in get_validation_errors
for (app_name, error) in get_app_errors().items():
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/db/models/loading.py", line 158, in get_app_errors
self._populate()
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/db/models/loading.py", line 64, in _populate
self.load_app(app_name, True)
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/db/models/loading.py", line 88, in load_app
models = import_module('.models', app_name)
File "/usr/local/lib/python2.7/dist-packages/Django-1.4.1-py2.7.egg/django/utils/importlib.py", line 35, in import_module
import(name)
File "/opt/selks/scirius/rules/models.py", line 72, in
class Source(models.Model):
File "/opt/selks/scirius/rules/models.py", line 319, in Source
@transaction.atomic
AttributeError: 'module' object has no attribute 'atomic'

Lack of Monitoring NIC selection

Hi,

Not so much an issue, but a limitation.
With the current SELKS installation/Setup, you do not get a chance to select your monitoring interface.
In most cases you will have 1 NIC for maintenance and 1 NIC for monitoring (and receiving your TAP traffic).

By default SELKS assumes your monitoring NIC is eth0
it then adds eth1 as an extra NIC to monitor.

The problem is that in most cases eth0 will be your maintenance NIC not your monitoring NIC.
So yes, you can just edit /etc/suricata/suricata.yaml and replace all eth0 with whatever is your monitoring NIC...
But here is the problem... when you update SELKS you sometimes get a new version of suricata.yaml and it is much easier to accept an overwrite with the new version (i.e.: recently there were new options added with SMTP).

In the end, I found it less prone to error to change my monitoring NIC to eth0.
But really, it would be great if at setup you are being asked to specify what is your monitoring NIC (s) and what is your maintenance NIC (that you don't want polluting your data).
And for that setting to be remembered, so next time you update SELKS and a new suricata.yaml file gets updated it would regenerate a correct suricata.yaml relevant to your system.

I'll drink to that :)
S.

live-build currently fails for scirius package

The proposed live-build command:

sudo ./build-debian-live.sh -g no-desktop

fails with the following message for the scirius package:

Unpacking scirius (1.1.5-1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u3) ...
Setting up dbconfig-common (1.8.47+nmu3+deb8u1) ...

Creating config file /etc/dbconfig-common/config with new version
Setting up kibana-dashboards-stamus (2015052202) ...
All runlevel operations denied by policy
invoke-rc.d: policy-rc.d denied execution of start.
Setting up python-psutil (2.1.1-2) ...
Setting up python-tz (2012c+dfsg-0.1) ...
Setting up sqlite3 (3.8.7.1-1+deb8u1) ...
Setting up scirius (1.1.5-1) ...
dbconfig-common: writing config to /etc/dbconfig-common/scirius.conf

Creating config file /etc/dbconfig-common/scirius.conf with new version
creating database db.sqlite3: success.
verifying database db.sqlite3 exists: success.
populating database via scriptfile...  Traceback (most recent call last):
  File "manage.py", line 10, in <module>
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 354, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 328, in execute
    django.setup()
  File "/usr/local/lib/python2.7/dist-packages/django/__init__.py", line 18, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/usr/local/lib/python2.7/dist-packages/django/apps/registry.py", line 85, in populate
    app_config = AppConfig.create(entry)
  File "/usr/local/lib/python2.7/dist-packages/django/apps/config.py", line 86, in create
    module = import_module(entry)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/__init__.py", line 2, in <module>
    from .tables import Table
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/tables.py", line 15, in <module>
    from . import columns
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/__init__.py", line 1, in <module>
    from .base import library, BoundColumn, BoundColumns, Column
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/base.py", line 10, in <module>
    from django_tables2.utils import Accessor, AttributeDict, OrderBy, OrderByTuple
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/utils.py", line 111, in <module>
    @six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute 'python_2_unicode_compatible'
Traceback (most recent call last):
  File "manage.py", line 10, in <module>
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 354, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 328, in execute
    django.setup()
  File "/usr/local/lib/python2.7/dist-packages/django/__init__.py", line 18, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/usr/local/lib/python2.7/dist-packages/django/apps/registry.py", line 85, in populate
    app_config = AppConfig.create(entry)
  File "/usr/local/lib/python2.7/dist-packages/django/apps/config.py", line 86, in create
    module = import_module(entry)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/__init__.py", line 2, in <module>
    from .tables import Table
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/tables.py", line 15, in <module>
    from . import columns
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/__init__.py", line 1, in <module>
    from .base import library, BoundColumn, BoundColumns, Column
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/base.py", line 10, in <module>
    from django_tables2.utils import Accessor, AttributeDict, OrderBy, OrderByTuple
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/utils.py", line 111, in <module>
    @six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute 'python_2_unicode_compatible'
Traceback (most recent call last):
  File "manage.py", line 10, in <module>
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 354, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 328, in execute
    django.setup()
  File "/usr/local/lib/python2.7/dist-packages/django/__init__.py", line 18, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/usr/local/lib/python2.7/dist-packages/django/apps/registry.py", line 85, in populate
    app_config = AppConfig.create(entry)
  File "/usr/local/lib/python2.7/dist-packages/django/apps/config.py", line 86, in create
    module = import_module(entry)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/__init__.py", line 2, in <module>
    from .tables import Table
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/tables.py", line 15, in <module>
    from . import columns
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/__init__.py", line 1, in <module>
    from .base import library, BoundColumn, BoundColumns, Column
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/base.py", line 10, in <module>
    from django_tables2.utils import Accessor, AttributeDict, OrderBy, OrderByTuple
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/utils.py", line 111, in <module>
    @six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute 'python_2_unicode_compatible'
Traceback (most recent call last):
  File "manage.py", line 10, in <module>
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 354, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 328, in execute
    django.setup()
  File "/usr/local/lib/python2.7/dist-packages/django/__init__.py", line 18, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/usr/local/lib/python2.7/dist-packages/django/apps/registry.py", line 85, in populate
    app_config = AppConfig.create(entry)
  File "/usr/local/lib/python2.7/dist-packages/django/apps/config.py", line 86, in create
    module = import_module(entry)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/__init__.py", line 2, in <module>
    from .tables import Table
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/tables.py", line 15, in <module>
    from . import columns
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/__init__.py", line 1, in <module>
    from .base import library, BoundColumn, BoundColumns, Column
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/base.py", line 10, in <module>
    from django_tables2.utils import Accessor, AttributeDict, OrderBy, OrderByTuple
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/utils.py", line 111, in <module>
    @six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute 'python_2_unicode_compatible'
/
done.
Traceback (most recent call last):
  File "manage.py", line 10, in <module>
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 354, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 328, in execute
    django.setup()
  File "/usr/local/lib/python2.7/dist-packages/django/__init__.py", line 18, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/usr/local/lib/python2.7/dist-packages/django/apps/registry.py", line 85, in populate
    app_config = AppConfig.create(entry)
  File "/usr/local/lib/python2.7/dist-packages/django/apps/config.py", line 86, in create
    module = import_module(entry)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/__init__.py", line 2, in <module>
    from .tables import Table
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/tables.py", line 15, in <module>
    from . import columns
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/__init__.py", line 1, in <module>
    from .base import library, BoundColumn, BoundColumns, Column
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/columns/base.py", line 10, in <module>
    from django_tables2.utils import Accessor, AttributeDict, OrderBy, OrderByTuple
  File "/usr/local/lib/python2.7/dist-packages/django_tables2/utils.py", line 111, in <module>
    @six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute 'python_2_unicode_compatible'
dpkg: error processing package scirius (--configure):
 subprocess installed post-installation script returned error exit status 1
Processing triggers for systemd (215-17+deb8u3) ...
Errors were encountered while processing:
 scirius
E: Sub-process /usr/bin/dpkg returned an error code (1)
E: config/hooks/chroot-inside-Debian-Live.chroot failed (exit non-zero). You should check for errors.
P: Begin unmounting filesystems...
P: Saving caches...
Reading package lists...
Building dependency tree...
Reading state information...
mv: der Aufruf von stat für „live-image-amd64.hybrid.iso“ ist nicht möglich: Datei oder Verzeichnis nicht gefunden

this is probably and issue with python-six and/or python-django versions available in the chroot. Adding python-six to the build-debian-live.sh in line 308 did not help.

Prelude support

Hello,

First of all, sorry for my basic english ^^

I just installed SELKS, thx guys I tried so many times to install ES+Logstash+Kibana and Suricata and didn't work ... With SELKS it's magic ! But I just want add to the same configuration prelude support, because I will install on the same machine Prewikka with Prelude-IDS.

How can I install prelude support on Suricata without corrupt the actual configuration ?

how to upgrade Kibana from 3 to 4 in SELKS?

Hi!
First thank you for this amazing project!
I'm wandering if there any reason why do you still use kibana 3 in SELKS distro? And are there any ways to upgrade Kibana from 3 to 4 version in the distro?

Documentation about "curator" is wrong and probably un-tested

Unescaped percent signs are converted into new-lines when used in a cron command line,
so the documentation here is wrong : https://github.com/StamusNetworks/SELKS/wiki/Data-lifecycle

I mean, okay it works from command line, but not from cron.

Maybe an (untested) fix would be :
--timestring '\%Y.\%m.\%d'

several attacks are not detected when using pytbull

Hi!
I just install the suricataIDPS on my system,and after that I run the pytbull to have a few test of this system,I updated the latest rules with oinkmaster,but the test result shows that there's no shellcodes,fragmentedPackets detection,in fact 60% results are 'no detection'. I followed the documentation to set up the suricata , and I check the rules file there's a rule called 'emerging-shellcodes' , and I also uncommented all the rules in suricata.yaml , I have no idea what to do next...
Any help? ..
Thanks!

bootstrap.mlockall: true

bootstrap.mlockall: true
is not uncommented as expected by the script in the elasticsearch.yaml
There is the same issue with the uncommenting of "discovery"

Build fails from master 2014-09-04

Errors and tracebacks from master. Built on Wheezy. Need a full build log?

Setting up scirius (0.8-1) ...^M
dbconfig-common: writing config to /etc/dbconfig-common/scirius.conf^M
^M
Creating config file /etc/dbconfig-common/scirius.conf with new version^M
creating database db.sqlite3: success.^M
verifying database db.sqlite3 exists: success.^M
populating database via scriptfile... Syncing...^M
Traceback (most recent call last):^M
File "manage.py", line 10, in ^M
execute_from_command_line(sys.argv)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 385, in execute_from_command_line^M
utility.execute()^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 377, in execute^M
self.fetch_command(subcommand).run_from_argv(self.argv)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 288, in run_from_argv^M
self.execute(_args, *_options.dict)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 338, in execute^M
output = self.handle(_args, _options)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 533, in handle^M
return self.handle_noargs(_options)^M
File "/usr/local/lib/python2.7/dist-packages/south/management/commands/syncdb.py", line 82, in handle_noargs^M
old_app_store, cache.app_store = cache.app_store, SortedDict([^M
AttributeError: 'Apps' object has no attribute 'app_store'^M
Traceback (most recent call last):^M
File "manage.py", line 10, in ^M
execute_from_command_line(sys.argv)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 385, in execute_from_command_line^M
utility.execute()^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 377, in execute^M
self.fetch_command(subcommand).run_from_argv(self.argv)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 288, in run_from_argv^M
self.execute(_args, *_options.dict)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 338, in execute^M
output = self.handle(_args, **options)^M
File "/usr/local/lib/python2.7/dist-packages/south/management/commands/migrate.py", line 111, in handle^M
ignore_ghosts = ignore_ghosts,^M
File "/usr/local/lib/python2.7/dist-packages/south/migration/init.py", line 200, in migrate_app^M
applied_all = check_migration_histories(applied_all, delete_ghosts, ignore_ghosts)^M
File "/usr/local/lib/python2.7/dist-packages/south/migration/init.py", line 79, in check_migration_histories^M
for h in histories:^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 141, in iter^M
self._fetch_all()^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 966, in _fetch_all^M
self._result_cache = list(self.iterator())^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 265, in iterator^M
for row in compiler.results_iter():^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/sql/compiler.py", line 700, in results_iter^M
for rows in self.execute_sql(MULTI):^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/sql/compiler.py", line 786, in execute_sql^M
cursor.execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 81, in execute^M
return super(CursorDebugWrapper, self).execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 65, in execute^M
return self.cursor.execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/utils.py", line 94, in exit^M
six.reraise(dj_exc_type, dj_exc_value, traceback)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 65, in execute^M
return self.cursor.execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/sqlite3/base.py", line 485, in execute^M
return Database.Cursor.execute(self, query, params)^M

django.db.utils.OperationalError: no such table: south_migrationhistory^M
Traceback (most recent call last):^M
File "manage.py", line 10, in ^M
execute_from_command_line(sys.argv)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 385, in execute_from_command_line^M
utility.execute()^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 377, in execute^M
self.fetch_command(subcommand).run_from_argv(self.argv)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 288, in run_from_argv^M
self.execute(_args, *_options.dict)^M
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 338, in execute^M
output = self.handle(_args, *_options)^M
File "/usr/local/lib/python2.7/dist-packages/south/management/commands/migrate.py", line 111, in handle^M
ignore_ghosts = ignore_ghosts,^M
File "/usr/local/lib/python2.7/dist-packages/south/migration/init.py", line 200, in migrate_app^M
applied_all = check_migration_histories(applied_all, delete_ghosts, ignore_ghosts)^M
File "/usr/local/lib/python2.7/dist-packages/south/migration/init.py", line 79, in check_migration_histories^M
for h in histories:^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 141, in iter^M
self._fetch_all()^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 966, in _fetch_all^M
self._result_cache = list(self.iterator())^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 265, in iterator^M
for row in compiler.results_iter():^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/sql/compiler.py", line 700, in results_iter^M
for rows in self.execute_sql(MULTI):^M
File "/usr/local/lib/python2.7/dist-packages/django/db/models/sql/compiler.py", line 786, in execute_sql^M
cursor.execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 81, in execute^M
return super(CursorDebugWrapper, self).execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 65, in execute^M
return self.cursor.execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/utils.py", line 94, in exit^M
six.reraise(dj_exc_type, dj_exc_value, traceback)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 65, in execute^M
return self.cursor.execute(sql, params)^M
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/sqlite3/base.py", line 485, in execute^M
return Database.Cursor.execute(self, query, params)^M
django.db.utils.OperationalError: no such table: south_migrationhistory^M

/usr/local/lib/python2.7/dist-packages/django/db/models/fields/init.py:1278: RuntimeWarning: DateTimeField Source.created_date received a naive datetime (2014-09-04 08:49:14.821104) while time zone support is active.
RuntimeWarning)

Traceback (most recent call last):
File "manage.py", line 10, in
execute_from_command_line(sys.argv)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 385, in execute_from_command_line
utility.execute()
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 377, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 288, in run_from_argv
self.execute(_args, *_options.dict)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 338, in execute
output = self.handle(_args, *_options)
File "/opt/selks/scirius/rules/management/commands/addsource.py", line 40, in handle
datatype = datatype)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/manager.py", line 92, in manager_method
return getattr(self.get_queryset(), name)(_args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 372, in create
obj.save(force_insert=True, using=self.db)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/base.py", line 590, in save
force_update=force_update, update_fields=update_fields)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/base.py", line 618, in save_base
updated = self._save_table(raw, cls, force_insert, force_update, using, update_fields)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/base.py", line 699, in _save_table
result = self._do_insert(cls._base_manager, using, fields, update_pk, raw)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/base.py", line 732, in _do_insert
using=using, raw=raw)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/manager.py", line 92, in manager_method
return getattr(self.get_queryset(), name)(_args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/query.py", line 921, in _insert
return query.get_compiler(using=using).execute_sql(return_id)
File "/usr/local/lib/python2.7/dist-packages/django/db/models/sql/compiler.py", line 920, in execute_sql
cursor.execute(sql, params)
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 81, in execute
return super(CursorDebugWrapper, self).execute(sql, params)
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 65, in execute
return self.cursor.execute(sql, params)
File "/usr/local/lib/python2.7/dist-packages/django/db/utils.py", line 94, in exit
six.reraise(dj_exc_type, dj_exc_value, traceback)
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/utils.py", line 65, in execute
return self.cursor.execute(sql, params)
File "/usr/local/lib/python2.7/dist-packages/django/db/backends/sqlite3/base.py", line 485, in execute
return Database.Cursor.execute(self, query, params)
django.db.utils.OperationalError: no such table: rules_source
E: config/hooks/chroot-inside-Debian-Live.chroot failed (exit non-zero). You should check for errors.

SELKS 3.0RC1

Hey guys,

Thank you for providing SELKS. I really like it and I have been playing with the 3.0 RC1 build and have noticed a problem with Elasticsearch not wanting to start after running apt-get update && upgrade and now getting "Unable to get data from Elasticsearch" in Scirius and also have lost all of the functionality of Kibana and EveBox since the update.

Before running the update I was observing that it was very sluggish and would often make Kibana time out when performing queries and wasn't able to search Events in EveBox.

Can you guys help me back up and running?

repositories access

Having live iso is excellent but since it's Debian-based I'd like to be able to bring my own Debian system installed into container up to speed with SELKS by plugging appropriate repositories and running update.

That would be very useful because it allows to support all the virtualisation solutions out there without bothering making images or instructions for each one of them.

Add package repo gpg pubkeys

During the live-build process the following gpg pubkeys are not verified:

W: GPG error: http://dl.bintray.com jessie Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5BCF00E8E6530A4A
W: GPG error: http://packages.stamus-networks.com jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 83FC65E703FC3237
W: GPG error: http://packages.elasticsearch.org stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D27D666CD88E42B4

it would be a good idea to include them during the build process to have a proper package verification.

Making Elasticsearch green

I wanted to make elasticsearch status green on single-node.
Here's what I did :

leafpad /etc/elasticsearch/elasticsearch.yml
Uncomment :
index.number_of_shards: 1
index.number_of_replicas: 0

curl -XDELETE 'http://localhost:9200/_all'

Now it's green allright. The curl command was a little brutal; all I miss are the dashboards in the "Stamus" menu, I do I bring them back ? I will re-customize.

Also, a curl command that clears the unassigned shards without killing everything else would not be a bad idea :P

Bookmark is 404

Thanks for making SELKS! I just wanted to let you know that the bookmark link titled IDS-ALL-Events goes to a 404.

Version: 3.0rc1-desktop running on VirtualBox

Can't see any SMTP logs

Hello,
I'm a new user using SELKS in production and I'm just discovering Kibana dashboads.
I can see other flow but I'm surprised not to see any SMTP logs in this dashboard:
https://myselkserver/log/#/dashboard/elasticsearch/SMTP

It's a fresh install and this tuto has already been followed and aplicated:
https://github.com/StamusNetworks/SELKS/wiki/Running-SELKS-in-production

I surrely missed something, but what ?

django 1.6.6 dependency

Explore the 1.6.6 dependency and find a possible solution for negating it -
https://github.com/StamusNetworks/SELKS/blob/master/staging/config/hooks/chroot-inside-Debian-Live.chroot#L23

Applying rules fail in Scirius

On a fresh install of SELKS, doing an application of ruleset like the following result in a failure:

Reported by Victor Julien aka @inliniac

unable to access kibana from remote box

per the read me here

If you wish to remotely (from a different PC on your network) access the dashboards you could do that as follows (in your browser):

https://your.selks.IP.here/rules/ - Scirius ruleset management
*https://your.selks.IP.here/log/ *- Kibana and click the folder icon for a list of dashboards
You need to authenticate to access to the web interface. The default user/password is the same as for local access: selks-user/selks-user. Don't forget to change credentials at first login. You can do that by going to Account settings in the top left dropdown menu of Scirius.

We tried the bold section to access kibana from remote box, but it failed with

Page not found (404)
Request Method: GET
Request URL:    https://10.65.104.182/log
Using the URLconf defined in scirius.urls, Django tried these URL patterns, in this order:
^admin/
^rules/
^accounts/
^suricata/
^$
^(?P<path>app/kibana.*)$
^(?P<path>timelion/.*)$
^(?P<path>bundles/.*)$
^kibana/(?P<path>.*)$
^elasticsearch/(?P<path>.*)$
^evebox/(?P<path>.*)$
The current URL, log, didn't match any of these.

We have authenticate with the default credential what else we missed?

Thanks!

DNS geo mapping in ElasticSearch

Logstash takes src_ip or dest_ip for Geo location which is fine for other protocols, but it should take [dns.rdata] for DNS as scr_ip could be local DNS IP.

Fetch data from MISP (Malware Information Sharing Platform)

MISP is a platform to echange IOCs.
It would be great to have integration with it, more specifically to download the MD5 from MISP, and then search for those in the ELK.

MISP has a key-authenticated REST API available.

Existing MISP data types that might be of interest to be used for lookups: ip, hostname, url, filename, mutex, email, user-agent, email subject, email attachment. New data types to be implemented in the future: URI-regexp, filename-regexp, SSL certificates attributes.

I can arrange access to a MISP instance hosting IOCs if you need it for testing.

evebox: change URL in /etc/scirius/local_settings.py

With PR #49 evebox is now bound to localhost. The following change is required in /etc/scirius/local_settings.py but I could not find the original source for this:

diff -u /etc/scirius/local_settings.py.orig etc/scirius/local_settings.py
--- /etc/scirius/local_settings.py.orig 2016-07-11 10:22:26.466937756 -0500
+++ etc/scirius/local_settings.py   2016-07-11 10:22:33.950948651 -0500
@@ -31,7 +31,7 @@
 #SURICATA_UNIX_SOCKET = "/var/run/suricata/suricata-command.socket"

 USE_EVEBOX = True
-EVEBOX_ADDRESS = "selks:5636"
+EVEBOX_ADDRESS = "localhost:5636"

 USE_SURICATA_STATS = True
 USE_LOGSTASH_STATS = True

This also prevents being taken to the wrong SELKS instance in the case of issue #48.

Alert Severity Colors

Hi,

Is there any way to change the colours of the alert severity in the ALERT dashboard (ALERT SEVERITY)?
Right now I have Severity one showing as green, Severity two as blue and severity 2 as orange...
A more standard Red, Orange, Green would make it easier to understand the graph.
Or at least having some king of logic in the colours, severe = red, not important = green/blue
(unless there is already a logic I missed :)

I wouldn't see any options to change the colours, so I am wondering if there is any way to change that?

Thanks,
B.

Scirius crash on deleting source

when I try to delete added source I get django error and scirius crashed it seems source deleted from DB but still in scirius

DoesNotExist at /rules/source/18/delete

SourceAtVersion matching query does not exist.

Request Method: POST
Request URL: https://hq-ips/rules/source/18/delete
Django Version: 1.8.4
Exception Type: DoesNotExist
Exception Value:

SourceAtVersion matching query does not exist.

Exception Location: /usr/local/lib/python2.7/dist-packages/django/db/models/query.py in get, line 334
Python Executable: /usr/bin/python
Python Version: 2.7.9
Python Path:

Scirius did not show any data on Suricata

Hi, I am using Selks 2.1, right now I had some difficulties to view data on Scirius.

I can view data in Kibana, but the Scirius did not show any data about Suricata (Alert Activity, Rules Activity, Capture Stats, Memory Usage, Problem indicators)

Hopefully someone can help pointing out what I am missing. Thanks.

Changing event type from alert to something else

Hi there, new to Selks, bare with me.

I would like to change some event(s) from "alert" so something else. What is the best way to do that ?

Also, are there stickies in here ? I have found a couple issues that I have solved that I think many people are going to bump into.

Thanks
Michel.

Running SELKS from behind a proxy

If you configure SELKS to run behind a proxy in a port other than 443 you won't be able to connect to elasticsearch dashboards from kibana because kibana's config.js file has the port number hardcoded.

You should change elasticsearch variable from:

elasticsearch: "https://"+window.location.hostname+":443/elasticsearch",

elasticsearch: "/elasticsearch",

Stuck after GRUB loader

I just installed SELKS, but after GRUB loader, it stuck black screen..

Email Notification

Hi,

Is it possible to get automated alerts and summary through emails?

What I am after is:

Daily/Weekly/Monthly Summary
and
Ad-Hoc email for specific alerts
Daily/Weekly/Monthly Summary
Similar to what other NSM offers (happy to provide a copy) it would be useful to get a regular email to display info such as:
Total number of High/Medium/Low alerts
Top 10 Alerts with count
Top 10 Source address for those alerts
Top 10 Destination for the alerts

As plain text would be enough.
The "cherry on the top" would be to also include the timeline graph, so it gives you an idea of when those alert did take place in the day/week/month.

I found this useful as once your NSM is all setup nicely, you can kind of forget about it... and just check that daily email to see what were the top 10 alerts. If for example you see an alert related to a Windows EXE installation file and you have actually updated your windows server that day, then you know you can ignore it.... on the other hand if there was no update that might be the reason to connect to your SELKS environment and investigate further.

Ad-Hoc email for specific alert
It would be really helpful if you could set an email alert if a specific security alert (Suricata ID) occurs.
Look at this scenario (which happened to me!):
You get an alert that keep recurring at random time, coming from a phone device, claiming there is a Kazaa download
You only find that alert when you connect to your NSM, you identify the device, check the device and there is nothing on it that should be running Kazaa!!
Everytime you see the alert in your NSM, it is too late, the user doesnt remember exactly what he did 2h ago.
Instead, you setup an email alert that sends you an email as soon as the suricata rule is triggered on that specific event.
This time you receive the alert within a minute of the event occuring, you contact the user, who tells you he is currently using Skype... through a bit more troubelshooting you can find out that it is a false positive and that in fact Skype traffic can sometimes be confused for Kazaa traffic.

Thanks,
B.

Basic DNS/WHOIS look up

Hi Again,

Is it possible to do a basic DNS/WHOIS looking against an IP from the GUI/Dashboard?
When troubleshooting an alert, it is quite useful to be able to have some basic info about the IP (i.e.: who owns it). I can see there is geo location data, which is great, but more useful is info about the owner of that IP!

Is it available already from the dashboard when looking at the different alerts?

Thanks.
B.

ElasticSearch data has wrong date

The data that is being pushed into ES has the wrong datetime.
I have set the system to PDT timezone, but it inserting data into ES with date from -18 hours earlier.

I'm not sure where the issue is, maybe in suricata or logstash?

I tried setting the system to UTC, and restarting everything. Same issue.

Any suggestions?

Monitor / resolution not detected

Hi there,

I have a 1280x1024 monitor but Selks 2.0 allows me to do only 1024x768.
By following the output of "cvt 1280 1024" I found that the following lines will do what I need, but it does not save.

xrandr --newmode "1280x1024" 109.00 1280 1368 1496 1712 1024 1027 1034 1063 -hsync +vsync
xrandr --addmode VGA1 "1280x1024"
xrandr --output VGA1 --mode "1280x1024"

It swiches to 1280x1024 just fine; in preference -> monitor settings, the newly created resolution 1280x1024 becomes available, it allows me to save (I believe this is lxrandr), but it does not survive a reboot. Attemps to monkey inside /etc/X11/xorg.conf have been unsucessful so far.

If I need to add the 3 xrandr lines into a startup script, what is the best place ?

Thanks.

CPU Throttling with SELKS 2.0

Hi there,

I installed SELKS 2.0 on 4 different hardware setups so far (2 Intel, 2 AMD). On all of them, the CPU speed was locked to the minimum CPU speed (possibly: power save) speed even if there was heavy CPU load.

What worked for me :
apt-get install cpufreqd
(no other tinkering)
Now, it appears to be "on-demand"

I respecfully suggest that cpufreqd is installed by default on the next selks release.

Not much going on :
selks-user@SELKS:~$ grep -E '^model name|^cpu MHz' /proc/cpuinfo
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 1647.292
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 2037.750
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 2580.960
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 1865.015

Much going on :
selks-user@SELKS:~$ grep -E '^model name|^cpu MHz' /proc/cpuinfo
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 3300.000
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 3300.000
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 3300.000
model name : Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
cpu MHz : 3300.000

Django error after upgrading

Hi,

I just did a apt-get update/upgrade, the last upgrade I did before that was in November 2015.
Everything seems to have worked, it did tell me I had to upgrade my DB which I accepted.
But now, if I go to any URL I get the following error:
(rebooting does not solve the problem)

ImproperlyConfigured at /accounts/login/

Error importing module django.template.context_processors: "No module named context_processors"

Request Method: GET
Request URL: https://selks/accounts/login/
Django Version: 1.6.6
Exception Type: ImproperlyConfigured
Exception Value:

Error importing module django.template.context_processors: "No module named context_processors"

Exception Location: /usr/local/lib/python2.7/dist-packages/django/utils/importlib.py in import_module, line 40
Python Executable: /usr/bin/python
Python Version: 2.7.9
Python Path:

Server time: Sat, 30 Jan 2016 17:49:21 +0000

Mapping all IP fields to type "ip"

Setting the mapping to all scr/dst IP to type "ip" would make more flexible searching (range, network) in IP addresses. Ref: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/mapping-ip-type.html

Dependency on hostname.

First I installed SELKS 3.0rc1 in a VM (bridge networking) using the default hostname and all is fine.

Later I created another SELKS VM, but gave this one the hostname of "SELKS-dev". In SELKS-dev (desktop installed), I opened Scirius from the desktop icon which takes me to "https://selks/rules/". This actually took me to my other VM instance with the hostname "SELKS", not the VM I was running.

Navigating to "https://selks-dev/rules/" or "https://localhost/rules" takes me to the correct instance.

Suricata rules for Windows is Disabled... why and where?

Hi,

This is related to the issue I raised on the Suricata github:
https://redmine.openinfosecfoundation.org/issues/1533

Why is rule 2000419 disabled? it does not appear as disabled in Scirius...
Could you please tell me where else it has been disabled? (so I can re-enable it again!)

This is a very useful rule to detect windows update activities on the network and some people, like me, are interested in seeing those events :)