Suricata version and configuration

N

N3ST

New Member
Aug 26, 2014
14
0
1
Hello everyone,

Now that the verison 3.3 is out, we can now use the integrated firewall (which works perfectly) with suricata to further enhance the security.

I have a few questions regarding the version to use, is it better to use the version that come with debian 1.2 or can we use the official repository of suricata to install the latest version 2.03?

Is this version supported with proxmox?

Second question do you have any advice regarding the configuration and the rules to use (emerging threat or snort vrt)?

Thank you in advance,

Best regards,

N3ST
 
Hello,

I found this package for debian wheezy 64 bit :
libhtp-dev : http://svn.marco-gatti.com/libhtp/wheezy/amd64/libhtp-dev_0.5.15-1_amd64.deb
libhtp1 : http://svn.marco-gatti.com/libhtp/wheezy/amd64/libhtp1_0.5.15-1_amd64.deb
Suricata 2.03 : http://svn.marco-gatti.com/suricata/wheezy/amd64/suricata_2.0.3-1_amd64.deb

these are all the library you need to install the 2.03

I am doing some test on a proxmox test machine to see if it can be implemented without any issue.

If this work we could then link suricata with snorby or logstash or OSSIM.

Why do you think about that?

Bets regards,

N3ST
 
OK,

I made some test, it is not possible to install suricata 2.03 due to the dependency that will break all the system.

We will have to use the provided version of suricata 1.2

So does anybody has an idea on the best configuiration and how to link suricata to a management serveur to review the logs and everything in a clean interfaces?

Best regards,

N3ST
 
Hey Proxmox Team,

I have a question :

[h=1]Suricata IPS integration[/h]If you want to use suricate IPS (intrusion prevention system), it's possible.
Packets will be forwarded to IPS after firewall ACCEPT.
Rejected/Dropped firewall packets don't go to the IPS.

Install suricata on proxmox host:

  1. apt-get install suricata
Then, enable IPS for a specifig vm

/etc/pve/firewall/<VMID>.fw
[OPTIONS]
ips: 1
ips_queues: 0
ips_queues will bind a specific cpu queues for this vm.
Available queues are defined in
/etc/default/suricata
NFQUEUE=0

Is there a possibility to enable the IDS +IPS for the hypervisor?

How do you scal the ips_queue when you have multiple VM?

Is there a way to use parser for suricata log in order to analyse them with snorby/logstash/security onion/OSSIM?

Thank you in advance,

N3ST
 
Hi,

N3ST said:
Is there a possibility to enable the IDS +IPS for the hypervisor?
Click to expand...
Currently not (I don't remember to have implemented it)
But technically, it should be possible.


How do you scal the ips_queue when you have multiple VM?
Click to expand...

you can start suricata with multiple queues.
(but I don't think that debian init script and default config file support it, so you should edit the init script)
then you can assign 1 or more queues by vm.

(queues can also be shared between vms)

Is there a way to use parser for suricata log in order to analyse them with snorby/logstash/security onion/OSSIM?
Click to expand...

maybe install logstash on proxmox ? you shoud be able to parse suricata logs and proxmox firewall.

I'm currently working on this at work, with kibana dashboard
 
Thank you for your response,

If you succeed in installing kibana on proxmox and making it work with suricata and thelog form proxmox, could you please give me the installation and configurtaion process.

Thanky ou in advance,

N3ST
 
Hi, I don't have finished the work yet.

but I only only logstash on proxmox, then put data on elasticsearch/kibana on another machine.

I'll try to post logstash config and kibana templates next month.
 
spirit said:
Hi, I don't have finished the work yet.

but I only only logstash on proxmox, then put data on elasticsearch/kibana on another machine.

I'll try to post logstash config and kibana templates next month.
Click to expand...

Won't it be better to be able to export the logs to another computer imnstead a installing another console localy?

If you need help in testing let me know, I have a proxmox test machine to test before implementing.

I was able to install barnyard 2 and OSSEC agent on the proxmox test vm.

Best regards,

N3ST
 
I don't install any console on proxmox host, only logstash (which is a log parser daemon, generate json and sent it to elasticsearch outside).

Like this, you can have live stats, without need to export logs.


But ofcourse, you can do it like this if you want: export with syslog to centralized server, and run logstash on it.

The choice is yours ;)
 
spirit said:
I don't install any console on proxmox host, only logstash (which is a log parser daemon, generate json and sent it to elasticsearch outside).

Like this, you can have live stats, without need to export logs.


But ofcourse, you can do it like this if you want: export with syslog to centralized server, and run logstash on it.

The choice is yours ;)
Click to expand...

This is brillant, just the parser which is configured to send the log in json format to the management console!

I prefere do it the same way you are doing it now.

I was working with ossim to install and manage the OSSEC agent on the VM, but I think that logstash + kabina to manage the hypervisor log, manage suricata and the firwall as well, does kibana do like snorby?

N3ST
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back