• This repository has been archived on 13/Sep/2022
  • Stars
    star
    183
  • Rank 210,105 (Top 5 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 9 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Docker based Suricata, Elasticsearch, Logstash, Kibana, Scirius aka SELKS

This repository is archived as `SELKS <https://github.com/StamusNetworks/SELKS>`_ is now based on Docker

Amsterdam

Introduction

Amsterdam is SELKS and Docker using Compose. The result of Amsterdam is a set of containers providing a complete Suricata IDS/NSM ecosystem:

The ELK stack is created using the official docker images. Communication between logstash and suricata is done via a share directory (from the host). The same applies to scirius and suricata where the /etc/suricata/rules directory is shared.

Installation

Generic

You can install amsterdam from the source directory by running

sudo python setup.py install

Or you can use pip to install latest released version

sudo pip install amsterdam

Debian

You need to install Docker. On Debian

sudo apt-get install docker.io docker-compose python-pip python-docker
sudo pip install amsterdam

Ubuntu

On Ubuntu, you can run

sudo apt-get install docker.io python-pip
sudo pip install amsterdam

Usage

To sniff the wlan0 interface and store data and config in the ams directory, you can run

amsterdam -d ams -i wlan0 setup
amsterdam -d ams start

As of now the start command will take really long on first run as it will fetch from Docker hub all the necessary images and build some custom containers.

Subsequent run should take less than 1 minute.

You can then connect to:

The HTTPS server is accessible from outside so you can connect to IP or hostname from there. So don't forget to change the default password.

To stop the amsterdam instance, run

amsterdam -d ams stop

To remove an amsterdam instance in directory hacklu, run

amsterdam -d ~/builds/amsterdam/hacklu/ rm

and remove the data directory if you want to delete data.

Updating

Updating amsterdam

For installation done via setup.py, you can just update the source code and rerun the installation procedure

git pull
sudo python setup.py install

For installation done via pip, one can run

pip install --upgrade --no-deps amsterdam

Updating an instance

When code is updated (new suricata package or new ELK versions), you can run (supposing your suricata listen on eth0)

amsterdam -d ams -i eth0 update

Then, you can restart the services

amsterdam -d ams restart

To do a complete update including Docker recipes and configuration files

amsterdam -d ams -f -i eth0 update

Tuning and coding

The configuration are stored in the config directory. For now only scirius, logstash and suricata are configured that way.

Running Scirius from latest git

To do so, simply edit docker-compose.yml in the data directory and uncomment and set the path to the scirius source tree. You will also need to copy the local_settings.py in config/scirius directory to in scirius subdirectory of your scirius source.

Once done, you can restart the services

amsterdam -d ams restart

Run a migration inside the container

docker exec ams_scirius_1 python /opt/selks/scirius/manage.py migrate

Backup

Backups in the scirius container are shared with the host. /var/backups directory is shared in $basepath/backups on the host.

To start a backup, run

docker exec ams_scirius_1 python /opt/selks/scirius/manage.py scbackup

To restore a backup and erase all your data, you can run

docker exec ams_scirius_1 python /opt/selks/scirius/manage.py screstore
docker exec ams_scirius_1 python /opt/selks/scirius/manage.py migrate

This will restore the latest backup. To choose another backup, indicate a backup filename as first argument. To get list of available backup, use

docker exec ams_scirius_1 python /opt/selks/scirius/manage.py listbackups

You can not restore a backup to a scirius which is older than the one where the backup has been done.

More Repositories

1

SELKS

A Suricata based IDS/IPS/NSM distro
Shell
1,420
star
2

scirius

Scirius is a web application for Suricata ruleset management and threat hunting.
Python
620
star
3

gophercap

Accurate, modular, scalable PCAP manipulation tool written in Go.
Go
84
star
4

suricata-language-server

Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures. It adds syntax check, hints and auto-completion to your preferred editor once it is configured.
Python
60
star
5

suricata-4-analysts

The Security Analystโ€™s Guide to Suricata
Python
49
star
6

KTS5

Kibana 5 Templates for Suricata IDPS
Python
43
star
7

KTS7

Kibana 7 Templates for Suricata IDPS Threat Hunting
38
star
8

KTS

Kibana 4 Templates for Suricata IDPS
Shell
33
star
9

suricata-analytics

Jupyter Notebook
25
star
10

KTS6

Kibana 6 Templates for Suricata IDPS Threat Hunting
Python
25
star
11

surimisp

Check IOC provided by a MISP instance on Suricata events
Python
17
star
12

ansible-misp

Ansible playbook to install Malware Information Sharing Platform (MISP)
17
star
13

bpfctrl

Utility based on bpftool to manage eBPF maps
Python
12
star
14

stamus_for_splunk

The Stamus Networks App for Splunk allows Splunk Enterprise users to extract information and insights from both the Stamus Security Platform and open source Suricata sensors.
Python
11
star
15

scirius-docker

Scirius docker container
Shell
9
star
16

suricata-docker

Python
7
star
17

selks-scripts

SELKS scripts
Shell
7
star
18

stamus-luajit-scripts

Stamus luajit scripts for use with Suricata IDPS
Lua
4
star
19

suricata-ls-vscode

VScode part of the Suricata Language Server
TypeScript
3
star
20

pktcity-js

3D visualization of Suricata alerts
JavaScript
2
star
21

labs

Stamus Labs content
1
star
22

stamus-qa-docker

Dockerfile used for QA
Dockerfile
1
star