Menu Close

Connecting Moloch and Suricata

Connecting Moloch and Suricata

  • Authors : Tomáš Mokoš, Miroslav Kohútik

Moloch archives network traffic to which it provides fast and organized access, however, Moloch does not provide any security measures for said traffic by itself. On the other hand, Suricata IDS surveils the monitored traffic and creates signatures that provide information about threats, but does not provide any GUI to display them.

Since version 1.5 (released on 16.7.2018), Moloch supports a plugin for importing Suricata alerts. Suricata and Moloch must be running on the same machine for the plugin to work. Data generated by Suricata can be accessed in Moloch’s web UI in the Sessions and SPI View tabs. All sessions containing Suricata data can be found by using query suricata.signature == EXISTS! in Moloch’s search bar. This solution does not feature a special Suricata UI inside Moloch, it just adds new fields to Moloch data. To add this plugin, you need to add suricata.so to the list of plugins and specify the path to eve.json file in the Moloch configuration file.

Moloch Upgrade

Moloch Upgrade

  • Authors: Tomáš Mokoš, Miroslav Kohútik

Upgrading Moloch to the latest version is not possible from all versions. Some older versions require installation of newer versions in an exact order.

Upgrading to Moloch 1.1.0

The oldest version of Moloch we have had in active use was version 0.50.
Upgrading Moloch from version 0.50 to version 1.0 and higher requires reindexing of all session data due to the large changes introduced in version 1.0. Reindexing is done in the background after upgrading, so there is little downtime before the server is back online.

Installation of Scirius CE

Installation of Scirius CE

  • Author: Miroslav Kohútik
  • Operating system : Ubuntu 16.04

This guide will walk you through the installation of Scirius Community Edition on Ubuntu 16.04 operating system.
Before proceeding with installation of Scirius CE, you need to have IDS Suricata installed. Installation guide for Suricata can be found here.

Install python package and header file manager

Installation of Zabbix 4.0

Installation of Zabbix 4.0

  • Author: Miroslav Kohútik
  • Operating system : Ubuntu 16.04

This guide describes the individual steps of the installation process of Zabbix version 4.0 on Ubuntu 16.04 operating system.

Zabbix utilizes the services of Apache web server, SQL database (in our case MySQL) and the PHP language to display web interface.
Before installation of Zabbix itself, install the aforementioned components first.

Running Fortigate FW VM inside of GNS3

In this post we describe how to run Fortigate FW VM appliance inside of the GNS3 (local or remote).

Prerequisities and environments

  • GNS3
    • In my case of version 2.1.1 running on a remote linux server (physical HW, not GSN3 VM).
    Fortigate VM Image for KVM
    • In my case FortiGate for KVM platform Version 6.2.
    • Download from HERE using Fortigate.ONE account (may create for free).
    GNS3 Fortigate Appliance

    Note: FortiGate VM evaluation license

    FortiGate VM includes a limited embedded 15-day trial license that supports:

Multi tabbed, multi execution telnet/ssh client

Working on our practical networking lessons our students and we, as their teachers, we usually configure several routers and switches (sometime up to ten), which are accessible remotely. For this we welcome the use of multi tabbed and especially multi exection clients.

It allows to efficentienly organize working space and run commands in one task on all connected network euqipments (for example to save running config).

Installation of Suricata

Installation and basic setup of Suricata

First, add the latest stable Suricata repository to APT:

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update

Now you can either install Suricata with:

sudo apt-get install suricata 

or the Suricata package with built-in (enabled) debugging

sudo apt-get install suricata-dbg

Basic setup

Start with creating a directory for Suricata’s log information.

sudo mkdir /var/log/suricata

To prepare the system for using it, enter:

sudo mkdir /etc/suricata

The next step is to copy classification.config, reference.config and suricata.yaml from the base build/installation directory (ex. from git it will be the oisf directory) to the /etc/suricata directory. Do so by entering the following:

sudo cp classification.config /etc/suricata
sudo cp reference.config /etc/suricata
sudo cp suricata.yaml /etc/suricata

Auto setup

You can also use the available auto setup features of Suricata:

The make install-conf option will do the regular “make install” and then automatically create/setup all the necessary directories and suricata.yaml.

 ./configure && make && make install-conf

The make install-rules option will do the regular “make install” and it automatically downloads and sets up the latest ruleset from Emerging Threats available for Suricata.

./configure && make && make install-rules

The make install-full option combines everything mentioned above (install-conf and install-rules) – and will present you with a ready to run (configured and set up) Suricata

./configure && make && make install-full

Source:

Suricata – Ubuntu installation

Setup Kodi to use Tvheadend backend

If you have working Tvheadend backend available, you can use Kodi as a frontend to watch live TV channels or browse EPG and setup and watch TV recordings.

This guide assumes, that the Kodi is already installed. You can obtain Kodi for Windows/macOS/Linux using the official Kodi webpage: https://kodi.tv/download For Raspberry Pi, we recommend using LibreELEC distribution available at: https://libreelec.tv/downloads_new

Tclsh script examples: how to generate router loop interfaces with IPv4 addresses

This example shows how to generate 254 loop interfaces with assigned ipv4 addresses 172.16.0.1/24 up to 172.16.255.1/24. The code is:

enable
tclsh
for {set i 0} {$i < 256} {incr i} {
ios_config "int loop $i" "ip address 172.16.$i.1 255.255.255.0"
}
ios_config "end"
tclquit

and you may just simply copy and paste it into a Cisco router CLI. Therefore first run tclsh within of privileged EXEC mode