#4 How To Send Suricata Alerts To Elastic SIEM | Kali Purple SOC In A Box Lab Series #4
HTML-код
- Опубликовано: 21 авг 2024
- We will ship suricata IDS alerts from opnsense firewall to elastic siem, then create graphs and maps of the alert traffic. A fun lab, especially for those interested in learning ethical hacking and purple teaming.
Watch the full series: • How To Install Kali Pu...
Resources:
Read kali purple wiki: gitlab.com/kal... Connect and Direct Message me on Linkedin: / howard-mukanda-24503144
For those of you who may be coming back to this video a year later - when you get to the part of installing filebeat - make sure you are in filebeat7 directory. Theres an issue with filebeat8 now that will not allow you past the module list command @10:33
Downgrading to 7 allowed me to progress past this part and continue the setup.
Also if you get an error with filebeat make install - try rebooting your opnsense - had to do both times when i installed 8 then eventually downgraded to 7.
Cheers!
Good series dude, nice work. \m/
Should of just used fleet to deploy. Set it up in two seconds. Good to know how to manually do it though. And easy way to deploy suricata is use ids tower free version. Easy to then manage rules as well. I have an ET pro rule set that is also easily deployed with ids tower as well.
Hi, thanks for all videos. Since I did not set HTTPS for Kibana, I proceeded by setting the host value in the filebeat.yml file to HTTP. I completed the steps without any problems. But I want to set HTTPS for Kibana. Can you share the documentation or link for the HTTPS setting in Kibana?
I know im a bit late but i figured I'd post what worked for me - When you get to the step about setting up HTTPS make sure you hit enter through all the prompts and key the default names for the ca and keys. After adding those to your kibana.yml you need to restart the kibana service for HTTPS to take effect - fun fact this took me hours of troubleshooting to figure out.
@@nump9768 Can you help-me? i feel that i lost something on OPNsense how we can install the filebeat if doesn't has a version of him that freebsd support? its only trough the kali purple?
Hi. I have one question. Is opnsense mandatory to send the logs? or I just could configure mi NIC in promiscous mode?
Thank you
I did not get the install prompt where you did for filebeat... I noticed you skipped some of the video. what did you do?
Based on what I've seen, this guy solved the issue by "downgrading" to a 8.5.3 version (ruclips.net/video/b88mnr0WsLc/видео.html). How to do that?
Are we need to set up Logstash to complete ELK stash of this box
No, the default elastic filebeat parser is sufficient for this setup
How can I downgrade beats from 8.8.2 to a previous version? I went through a lot of websites but nothing clear to be honest.
I installed beats7 but was not able to make the dashboards work
Hi, thanks for all videos with kali purple! I have a problem when I execute 'filebeat modules list', I got this error: "Error initializing beat: failed to get host information: unimplemented". How can I solve that?
I'm also facing same issue, please need a solution for this...
@@bhaskarreddy7197 bit late, but you can make install sysutils/beats7 instead of beats8. beats 8.8.2 is the one that's installed and facing the issue. You can also try installing the version he's using here which is 8.6 (albeit another way)
Can you also deploy TheHive for Incident Response?
That sounds like a great idea for this SOC
We will get it done
@@ITSecurityLabs Thank you! 😁
Will be keen to see this deployed. Thank you for the videos sir!
@@ITSecurityLabs waiting for you !
any idea how to fix this error, i have tried everything,
go tool dist: unexpected new file in $GOROOT/bin: go-go-tmp-umask
*** Error code 2
Stop.
make[1]: stopped in /usr/ports/lang/go120
*** Error code 1
Stop.
make: stopped in /usr/ports/sysutils/beats8
Running as root?
how you solve bro?