No alert in scirius

[Brainmoustache]

After installation and setting, I get all the traffic, eve.json is growing but there is no alert on the dashboard.
I looked into git issue to see what could be my problem but nothing work.

I increased the memory of elasticsearch and logstash just so you know.

[pevma]

Is that a recent upgrade?
Is it similar to - #112 (comment)

[Brainmoustache]

Yes it's similar configuration.
I thought it will be correct after the logstash problem but it doesn't.

[pevma]

Any errors in the logstash-plain.log ?

[Brainmoustache]

Nope..

[2018-04-20T10:31:31,227][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[2018-04-20T10:31:31,231][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[2018-04-20T10:31:33,686][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://127.0.0.1:9200/]}}
[2018-04-20T10:31:33,687][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://127.0.0.1:9200/, :path=>"/"}
[2018-04-20T10:31:33,821][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
[2018-04-20T10:31:33,975][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>"/etc/logstash/elasticsearch5-template.json"}
[2018-04-20T10:31:33,988][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>50001, "settings"=>{"number_of_replicas"=>0, "index.refresh_interval"=>"5s"}, "mappings"=>{"_default
_"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"stri
ng", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "index"=>"not_analyzed", "ignore_above"=>256}, "raw"=>{"type"=>"keyword", "index"=>"not_analyzed", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"
=>"date", "include_in_all"=>false}, "@Version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"h
alf_float"}}}, "dest_ip"=>{"type"=>"ip", "fields"=>{"raw"=>{"index"=>"not_analyzed", "type"=>"keyword"}, "keyword"=>{"index"=>"not_analyzed", "type"=>"keyword"}}}, "src_ip"=>{"type"=>"ip", "fields"=>{"raw"=>{"index"=>"not_analyzed", "type"=>"keyword"},
"keyword"=>{"index"=>"not_analyzed", "type"=>"keyword"}}}}}}}}
[2018-04-20T10:31:34,029][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//127.0.0.1"]}
[2018-04-20T10:31:34,034][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://127.0.0.1:9200/]}}
[2018-04-20T10:31:34,034][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://127.0.0.1:9200/, :path=>"/"}
[2018-04-20T10:31:34,052][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
[2018-04-20T10:31:34,080][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>"/etc/logstash/elasticsearch5-template.json"}
[2018-04-20T10:31:34,093][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>50001, "settings"=>{"number_of_replicas"=>0, "index.refresh_interval"=>"5s"}, "mappings"=>{"_default
_"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"stri
ng", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "index"=>"not_analyzed", "ignore_above"=>256}, "raw"=>{"type"=>"keyword", "index"=>"not_analyzed", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"
=>"date", "include_in_all"=>false}, "@Version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"h
alf_float"}}}, "dest_ip"=>{"type"=>"ip", "fields"=>{"raw"=>{"index"=>"not_analyzed", "type"=>"keyword"}, "keyword"=>{"index"=>"not_analyzed", "type"=>"keyword"}}}, "src_ip"=>{"type"=>"ip", "fields"=>{"raw"=>{"index"=>"not_analyzed", "type"=>"keyword"},
"keyword"=>{"index"=>"not_analyzed", "type"=>"keyword"}}}}}}}}
[2018-04-20T10:31:34,097][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//127.0.0.1"]}
[2018-04-20T10:31:34,945][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-4.3.1-java/vendor/GeoLite2-City.mmdb"}
[2018-04-20T10:31:35,021][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-4.3.1-java/vendor/GeoLite2-City.mmdb"}
[2018-04-20T10:31:35,025][INFO ][logstash.pipeline ] Starting pipeline {"id"=>"main", "pipeline.workers"=>3, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>375}
[2018-04-20T10:31:35,573][INFO ][logstash.pipeline ] Pipeline main started
[2018-04-20T10:31:35,737][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

[pevma]

What about if you restart elasticsearch and logstash?
What versions do you have of both elasticsearch and logstash ? (dpkg -l |grep logsatsh)

[Brainmoustache]

The restart doesn't do anything.

ii logstash 1:5.6.9-1 all An extensible logging pipeline
ii elasticsearch 5.6.9 all Elasticsearch is a distributed RESTful search engine built for the cloud. Reference documentation can be found at https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html and the 'Elasticsearch: The Definitive Guide' book can be found at https://www.elastic.co/guide/en/elasticsearch/guide/current/index.html
ii elasticsearch-curator 4.3.1 amd64 Have indices in Elasticsearch? This is the tool for you!\n\nLike a museum curator manages the exhibits and collections on display, \nElasticsearch Curator helps you curate, or manage your indices.

[pevma]

When you say no alert - do you mean in Scirius or in Kibana SN ALERTS dashboards? Both have no alerts or just Scirius ?

Can you also please paste the last 10 lines of your /var/log/logstash/logstash-plain.log ?

[pevma]

Looking at the output you pasted above - looks good, no errs on the logstash side .

[Brainmoustache]

Both have no alerts.

[pevma]

Since when? For what period is that?
Also check if for that period that the dashboards show no alerts - that there are alerts in eve.json. You should look for "event_type":"alert".

[Brainmoustache]

I haven't received any alert since the install.
I don't get any alert as event_type.
I have flow, stats, dns, tls, and ssh event_type.

[pevma]

It maybe so that there isnt any alerts in that period of time.
You can also check for any errors in rules loading in /var/log/suricata/suricata.log

[Brainmoustache]

No error in suricata.log.
It doesn't find anything when I do a internal nessus scan.
That's not normal.

[pevma]

On 20 Apr 2018, at 21:17, sbeaulieu-vu ***@***.***> wrote: No error in suricata.log. It doesn't find anything when I do a internal nessus scan. That's not normal.

Maybe you need to adjust the HOME/EXTERNAL net variables in the Suricata config depending on where you are doing the scan.

…

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[dennys371]

I have the same issue.
When using suricata with pfsense on a port scan it will display an alarm.
In usage with selks the event_type in eve.json is flow and nothing displayed in alerts when doing port scanning or even flooding a port.
Could some one help me here?

[pevma]

Did you adjust the HOME/EXT net variables in /etc/suricata/selks4-addin.yaml ? For example if the rules that are supposed to trigger are looking at the wrong nets in respect to where the scan comes from (example internal/home IP to interna/homel IP) - the alert would not be generated.

[dennys371]

I didn't found Home/Ext in /etc/suricata/selks4-addin.yaml the only HOME/EXT settings I have is in /etc/suricata/suricata.yaml HOME_NET 172.16.0.0/12
I'm scanning from 192.168.16.0/24 the suricata is listening on the 192.168.16.129

[pevma]

apologies - you are correct - that is the file holding the Net variables.
Most likely the reason why your rule does not fire an alert is that because the scan is not towards 172.16.0.0/12 (aka not towards the HOME_NET and the rule most likely uses that) . As a quick test you can try to scan from non HOME_NET IP (aka not from 172.16.0.12) towards 172.16.0.0/12 then it should trigger i think.

[dennys371]

Great, I've missed that point. Thank you.
I was scanning the selks IP, after adding it to home_net it have started to show alerts.
Thank you.