I'm also interested in more Suricata content. It'd also be cool to see a comparison against other techniques such as plain firewall management or cloud options. Thanks for this!
Thanks. I know what you mean - logs are difficult to get excited about. Once it's tweaked to reduce false positives you can feed it into a security platform and have it email you when there's something to worry about.
Great video it’s spiked my interest, I run 8 vlans at home (main, guest, phones, cctv, iot with internet, iot without internet, lab and internet via subnet vpn) looking if I can get the switch to port mirror with the vlans intact. All but home assistant servers are Ubuntu 22.04 and have interfaces on all vlans. Particularly for pi hole and Bonjour gateways. I would really like to see the link to more human friendly graphics. I feel a project coming on :-)
@@ProTechShow it works remarkably well and don’t even think about it normally. Btw for the network that have wireless access the ssids and the documentation each vlan/subnet is named after a planet in the solar system.
@@marksterling8286 that brings back a memory. One of our guys was onboarding a customer several years ago who named servers after planets, and he needed access to a particular server. Cue the question "Dave, can you let me into Uranus, please?" being asked loudly across the office before he realised what it sounded like!
It depends what you want to monitor. If it's just traffic to/from the internet then the LAN side of your router may be a better choice. If you're using NAT then the WAN side will show outbound traffic from your router's public IP rather than your internal hosts, and you'll probably pick up a ton of alerts from random internet-based port scans and the like bouncing off your firewall. The LAN side should be quieter, showing only traffic that made it though your firewall, and with recognisable internal IPs. You don't have to use it just for internet traffic, though. If you forward ports from your internal network it can pick up on insecure LAN traffic (e.g. credentials passed around in plaintext) and indicators of lateral movement between hosts.
after i entered the " suricata-update enable-source et/open , my output is Failed to create directory , and its permission denied /var/lib/suricata/update How do i solve this ?
Hyper-V is the Windows hypervisor. You enable it as a role after installing Windows. Usually (unless testing something), you want to run it on bare metal. The equivalent for Rocky Linux would be KVM.
I haven't got a copy of OPNsense installed at the moment to check. I'm running Suricata standalone and feeding its alerts to Wazuh, with Wazuh doing the alerting.
More than you might initially expect. It can't see through the encryption, but it can see the DNS request, the layer 4 stuff like IP address you're connecting to and protocol used, and the TLS handshake from which it can get the hostname requested via SNI, details of the server's TLS certificate, indications of attempted TLS exploits like POODLE, etc. It can't read the data once the TLS session is established, but it has a pretty good idea who you're talking to, so it can alert you that a device on your network is communicating with a website known to act as a command and control server for a particular family of malware, or with a website whose TLS certificate was issued by a certificate authority with loose standards that is known to be used by bad actors, etc.
"Free" SIEM tools usually require a lot of manual effort as they're very light on correlation rules and threat intelligence compared to paid tools (essentially, you pay for the threat data, not the tool). If you're willing to put the effort in, Wazuh or Elasticsearch are probably your best free options. OSSIM is another one if you don't need to keep the logs for a long period, but if it's for professional use that would normally rule it out.
Well, the installer does... but you probably need to install WinPcap separately as well, and then it's over to text files and command line to configure/use it. Personally, I think it will be less user-friendly - especially if you hit a problem and need to Google it! Typically, you have Suricata running invisibly in the background and you surface the data in a separate visualisation tool that is likely pulling information from a number of other sources as well. If people want it I'll cover that in a later video. If you want something that will give you a GUI to use straight out of the box you're not after Suricata itself but a security product that has already integrated Suricata. I'll try and test a few free ones before I make a follow-up so I can include a "if you can't be bothered with this integration stuff, here's an easy option" alternative.
Not quite what you were asking for; but I've released a follow-up that introduces a few options for visualisations and analytics, and I give a brief mention to IDSTower at the end which isn't really the focus of the video but does provide a web interface for installing and configuring Suricata: ruclips.net/video/KWEWU_pItyg/видео.html
I used to work with a guy whose catchphrase was "Where there's a wizard there's a way!" (Referring to the "next, next, finish" type of wizard, not the Gandalf type... do people still call those wizards?)
I've released a follow-up that introduces a few options for visualisations and analytics. There's also a brief mention of IDSTower at the end which isn't for visualising data, but does let you install Suricata using a web interface instead of command line: ruclips.net/video/KWEWU_pItyg/видео.html
I'm surprised I didn't have to fish this comment out of the bin. RUclips usually blocks anything that looks like it contains commands or code, and I have to go through and unblock them. Maybe it's because you said "sudo". 😆
Follow-up video with options for visualising threats from Suricata data: ruclips.net/video/KWEWU_pItyg/видео.html
Antes de que termine de ver el video te quiero decir que me serviste de mucho para poder terminar mi tesis, muchas gracias buen hombre por el video.
Glad it was helpful
Great video and Yes to a follow up for visualisation of the data
Thanks!
I've released a follow-up that introduces a few options for visualisations and analytics: ruclips.net/video/KWEWU_pItyg/видео.html
I'm also interested in more Suricata content. It'd also be cool to see a comparison against other techniques such as plain firewall management or cloud options. Thanks for this!
Thanks!
I've released a follow-up that introduces a few options for visualisations and analytics: ruclips.net/video/KWEWU_pItyg/видео.html
For me the crontab was an excellent addition. I also appreciate your information on switches. I'll definitely subscribe to your channel.
Thanks!
Nice video.. awaiting the follow-up desperately to visualize it in better way. goodluck
Thanks!
I've released a follow-up that introduces a few options for visualisations and analytics: ruclips.net/video/KWEWU_pItyg/видео.html
Yes. Let's collect the data and do something pretty!
Sounds like I'll need to make a follow-up!
I've released a follow-up that introduces a few options for visualisations and analytics: ruclips.net/video/KWEWU_pItyg/видео.html
how do you configure suricata as a true IPS? Mirroring mode serves as an IDS. How do we get Suricata to act as a gateway and forward traffic outbound.
Nice work, set this up awhile ago but never turned it on because I hate sifting through logs lol
Thanks. I know what you mean - logs are difficult to get excited about. Once it's tweaked to reduce false positives you can feed it into a security platform and have it email you when there's something to worry about.
Graphs for the win
Everybody loves a graph 😉
I've released a follow-up that introduces a few options for visualisations and analytics: ruclips.net/video/KWEWU_pItyg/видео.html
Great video it’s spiked my interest, I run 8 vlans at home (main, guest, phones, cctv, iot with internet, iot without internet, lab and internet via subnet vpn) looking if I can get the switch to port mirror with the vlans intact. All but home assistant servers are Ubuntu 22.04 and have interfaces on all vlans. Particularly for pi hole and Bonjour gateways. I would really like to see the link to more human friendly graphics. I feel a project coming on :-)
That's an impressive number of VLANs for a home network!
@@ProTechShow it works remarkably well and don’t even think about it normally. Btw for the network that have wireless access the ssids and the documentation each vlan/subnet is named after a planet in the solar system.
@@marksterling8286 that brings back a memory. One of our guys was onboarding a customer several years ago who named servers after planets, and he needed access to a particular server. Cue the question "Dave, can you let me into Uranus, please?" being asked loudly across the office before he realised what it sounded like!
I've released a follow-up that introduces a few options for visualisations and analytics: ruclips.net/video/KWEWU_pItyg/видео.html
Please make a video where you integrate the logs with something shiny. I’m using pfelk but would love to see other methods for monitoring and alerting
I'll add it to the list, thanks!
I've released a follow-up that introduces a few options for visualisations and analytics: ruclips.net/video/KWEWU_pItyg/видео.html
@@ProTechShow nice thank you for the follow up. Much appreciated
So if you have Suricata running on a physical device separate from your router, you would want the port to mirror your WAN port?
It depends what you want to monitor. If it's just traffic to/from the internet then the LAN side of your router may be a better choice. If you're using NAT then the WAN side will show outbound traffic from your router's public IP rather than your internal hosts, and you'll probably pick up a ton of alerts from random internet-based port scans and the like bouncing off your firewall. The LAN side should be quieter, showing only traffic that made it though your firewall, and with recognisable internal IPs.
You don't have to use it just for internet traffic, though. If you forward ports from your internal network it can pick up on insecure LAN traffic (e.g. credentials passed around in plaintext) and indicators of lateral movement between hosts.
How to get traffic from loopback as im running my own script to test detection
after i entered the " suricata-update enable-source et/open , my output is Failed to create directory , and its permission denied /var/lib/suricata/update
How do i solve this ?
Prefix the command with "sudo" to elevate your permissons
THANK YOUU @@ProTechShow
how do i use hyper V on rocky and do i need to download it ?@@ProTechShow
im using virtualbox , where do i need to install hyper v , is it on rocky or windows ?@@ProTechShow
Hyper-V is the Windows hypervisor. You enable it as a role after installing Windows. Usually (unless testing something), you want to run it on bare metal.
The equivalent for Rocky Linux would be KVM.
please show us a follow up I am in a real need for that. Thanks
I'll add it to the list!
I've released a follow-up that introduces a few options for visualisations and analytics: ruclips.net/video/KWEWU_pItyg/видео.html
Can we implement pfsense firewall and surricata together ?
Yes. Although I don't use it myself, Suricata is available as a package for pfSense. Have a search in the package manager after installing pfSense.
@@ProTechShow thanks !!!
How do I get suricata alerts sent to me via email on OPNsense?
I haven't got a copy of OPNsense installed at the moment to check. I'm running Suricata standalone and feeding its alerts to Wazuh, with Wazuh doing the alerting.
So what happens for sites with TLS encryption?
More than you might initially expect. It can't see through the encryption, but it can see the DNS request, the layer 4 stuff like IP address you're connecting to and protocol used, and the TLS handshake from which it can get the hostname requested via SNI, details of the server's TLS certificate, indications of attempted TLS exploits like POODLE, etc.
It can't read the data once the TLS session is established, but it has a pretty good idea who you're talking to, so it can alert you that a device on your network is communicating with a website known to act as a command and control server for a particular family of malware, or with a website whose TLS certificate was issued by a certificate authority with loose standards that is known to be used by bad actors, etc.
Thank you.... good video...
Thanks!
What's a free SEIM I can use?
"Free" SIEM tools usually require a lot of manual effort as they're very light on correlation rules and threat intelligence compared to paid tools (essentially, you pay for the threat data, not the tool). If you're willing to put the effort in, Wazuh or Elasticsearch are probably your best free options. OSSIM is another one if you don't need to keep the logs for a long period, but if it's for professional use that would normally rule it out.
If the Windows edition uses a GUI then I'd prefer that 🤣
Well, the installer does... but you probably need to install WinPcap separately as well, and then it's over to text files and command line to configure/use it. Personally, I think it will be less user-friendly - especially if you hit a problem and need to Google it!
Typically, you have Suricata running invisibly in the background and you surface the data in a separate visualisation tool that is likely pulling information from a number of other sources as well. If people want it I'll cover that in a later video. If you want something that will give you a GUI to use straight out of the box you're not after Suricata itself but a security product that has already integrated Suricata. I'll try and test a few free ones before I make a follow-up so I can include a "if you can't be bothered with this integration stuff, here's an easy option" alternative.
Not quite what you were asking for; but I've released a follow-up that introduces a few options for visualisations and analytics, and I give a brief mention to IDSTower at the end which isn't really the focus of the video but does provide a web interface for installing and configuring Suricata: ruclips.net/video/KWEWU_pItyg/видео.html
I do love my GUIs
Too much CLI for me
I used to work with a guy whose catchphrase was "Where there's a wizard there's a way!"
(Referring to the "next, next, finish" type of wizard, not the Gandalf type... do people still call those wizards?)
@@ProTechShow Software use "Setup Assistant" nowadays. I prefer wizards though!
"Where there's a setup assistant there's a way" just doesnt have the same ring to it...
I've released a follow-up that introduces a few options for visualisations and analytics. There's also a brief mention of IDSTower at the end which isn't for visualising data, but does let you install Suricata using a web interface instead of command line: ruclips.net/video/KWEWU_pItyg/видео.html
sudo apt install -y software-properties-common
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update -y
sudo apt install -y suricata
I'm surprised I didn't have to fish this comment out of the bin. RUclips usually blocks anything that looks like it contains commands or code, and I have to go through and unblock them. Maybe it's because you said "sudo". 😆