selks black magic - netfilter · selks – the elk stack • elasticsearch 2.x –distributed,...
TRANSCRIPT
![Page 1: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/1.jpg)
1
SELKS&
Black Magic
![Page 2: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/2.jpg)
Lets talk about ME
Myself– Stamus Networks co-founder– Suricata core team - QA Lead– OISF Suricata instructor– Part of the Mob
StamusN– Bring professional grade products and services through the
Suricata IDPS eco-system – Open Source Projects
● SELKS● Amsterdam● Scirius
2
![Page 3: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/3.jpg)
Why we need SELKS
• Entirely Open Source– The only graphic Suricata’s rule manager– Standard Debian Jessie 64 bit live and installable distro– Want to get the best out of Suricata– Showcase build for Suricata
• Scalable• Modular• Flexible• Correlate
3
![Page 4: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/4.jpg)
Lets talk aboutSELKS
•S - Suricata IDPS
•E - Elasticsearch
•L - Logstash
•K - Kibana
•S – Scirius
• EveBox
4
![Page 5: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/5.jpg)
SELKS –Suricata IDS/IPS/NSM
• Suricata– Supercalifragilisticexpialidocious IDPS/NSM– Open Source– Native Multithreading – Multitenancy – High Performance – Modular and flexible– Lua scripting– Awesome core teammates
5
![Page 6: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/6.jpg)
SELKS –The ELK stack
• Elasticsearch 2.x – Distributed, scalable, and highly available– Real-time search and analytics capabilities– Sophisticated RESTful API– Schema free, Apache Lucene™
• Logstash 2.x– Centralize data processing of all types– Log collector
• Kibana 4.x– Flexible analytics and visualization platform– Real-time summary and charting of streaming data– Intuitive interface for a variety of users– Instant sharing and embedding of dashboards
6
![Page 7: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/7.jpg)
SELKS –Scirius
• Suricata graphic rule set manager
7
![Page 8: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/8.jpg)
SELKS –EveBox
• EveBox is a web based Suricata "eve" event viewer for Elastic Search
8
![Page 9: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/9.jpg)
Visualization & Filtering
• Filter and visualize on over 360 metadata fields• GeoIP Maps
9
![Page 10: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/10.jpg)
Dashboards
• 11 ready to use out of the box dashboards– ALL– ALERTS– DNS– FILE-Transactions – FLOW– HTTP– SMTP– STATS– TLS– SSH– VLAN
10
![Page 11: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/11.jpg)
Correlate
• Correlate – Events– Alerts– Logs– Rules
11
![Page 12: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/12.jpg)
Rule set manager
• Suricata’s graphic rule set management – Rules to alerts direct mapping– Suricata performance indicators– Thresholding/Suppression of alerts
12
![Page 13: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/13.jpg)
Black (file) Magic
Identify a file which:
➢ is a picture taken with a camera from Huawei Nexus 6p phone
➢ has a an extension “.docx”
![Page 14: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/14.jpg)
SELKS
Lets do some Black Magic
…
14
![Page 15: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/15.jpg)
Getting SELKS
Source & ISO:➢ Build your from source or with a custom
kernel version - ● https://github.com/StamusNetworks/SEL
KS#selks➢ Download ready to use ISO image -
● https://www.stamus-networks.com/open-source/#selks
![Page 16: SELKS Black Magic - Netfilter · SELKS – The ELK stack • Elasticsearch 2.x –Distributed, scalable, and highly available –Real-time search and analytics capabilities –Sophisticated](https://reader030.vdocument.in/reader030/viewer/2022021502/5af437037f8b9a8d1c8bddf9/html5/thumbnails/16.jpg)
THANK YOU
c u @SuriCon
16