awesome-inc / docker-selks Goto Github PK

View Code? Open in Web Editor NEW

10.0 5.0 7.0 37 KB

Docker based Suricata, Elasticsearch, Logstash, Kibana, Scirius aka SELKS.

Dockerfile 100.00%

docker-selks's Introduction

docker-selks

Docker based Suricata, Elasticsearch, Logstash, Kibana, Scirius aka SELKS.

Setup

On Linux

Install docker.
Install docker-compose.
Clone this repository

Then, start your stack using docker-compose:

docker-compose up

On Windows, use Vagrant or Docker for Windows

For Vagrant be sure to have the following vagrant plugins installed

vagrant-proxyconf when behind a croporate proxy
vagrant-docker-compose
vagrant-vbguest
vagrant-cachier

Start up the box

vagrant up

Next, access

Scirius with scirius/scirius as login/password,
Kibana and
Evebox.

Connect into the box via ssh/putty on 127.0.0.1:2222 with standard login vagrant/vagrant. Then,

cd /vagrant
docker-compose [ps,logs, ...]

docker-selks's People

Contributors

Stargazers

Watchers

Forkers

kevfoerster arun81 ohheyalan xprasoulas mario-renau-iti sfoerster gmouchakis

docker-selks's Issues

Refine logstash output

What information in our EVE files is really relevant to us? Right now, we have a minimal logstash filter, only getting the geo ip of either source or destination. Exploration into relevant fields and what to do with them should be done.

Convert EVE data to a ML-digestible format

The data saved in suricata's eve.json or elasticsearch needs to be converted in such a way a framework can work with it.

Discover regularities in communication

As a first step, get to know the data, look for correlations in both time and space.

Find publicly available network traffic to analyze

Build Suricata in a docker container with profiling enabled

See #1. The current docker container with suricata does not have profiling enabled, which is needed for pcap analysis. Suricata is taken from the alpine linux edge repository. Build details of it can be found here:
https://pkgs.alpinelinux.org/package/edge/community/x86/suricata

Enable suricata alerts for pcaps

With the current configuration, suricata does not utter alerts when profiling packets. However, it should.

This is a test issue from WhiteSource, it will be closed shortly

Train any model on the network communication

Use any machine learning framework to produce a model that reproduces the correlations from #2.

Build a simple graph out of network communications

It would be nice if we had the network communications inside a graph. At first, a simple "A communicates with B" is sufficient.

It seems like ArangoDB is easy to use for importing our EVE JSON and seems like a good fit for playing around with graph databases. In the long term, we will probably want to use Neo4j.

Prototype machine learning frameworks for network communications

Test multiple machine learning frameworks. Ideas right now:

brain.js
H2O

In the future, we want to use them for low-code environments, so look for "easy-to-click" environments.

Add GeoIP information to logstash's output for IPs and visualize them

Add geoip filter to logstash's config and test it
Visualize the data in Kibana

Action Required: Fix WhiteSource Configuration File - .whitesource

There is an error with this repository's WhiteSource configuration file that needs to be fixed. As a precaution, scans will stop until it is resolved.

Errors:

Failed to parse configuration file: awesome-inc/docker-selks/.whitesource: Expected BEGIN_OBJECT but was STRING at line 7 column 1 path $

Make Scirius work again

The current scirius docker image does not work correctly; Django exceptions are thrown regarding static files (leading to no css being loaded) as well as TypeErrors.

We could try to either use another docker image than stamus/scirius:latest, if publicly available or build our own.