<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

Scirius on Ubuntu LTS

by Peter Manev | May 20, 2014 | Open Source

The Ubuntu used in this tutorial:

root@LTS-64-1:~/opt#uname -a
Linux LTS-64-1 3.5.0-45-generic #68~precise1-Ubuntu SMP Wed Dec 4 16:18:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

If you have these packages installed you need to remove them so that Scirius would work with the latest python dependencies.
Please be careful so that this actually does not affect your current running services. It is always best to test first :)

root@LTS-64-1:~/opt#apt-get remove django-tables python-django python-django-south python-git

Install the needed dependencies:

root@LTS-64-1:~/opt#aptitude install python-pip git
root@LTS-64-1:~/opt#pip install django django-tables2 South GitPython pyinotify daemon

Clone the latest version

root@LTS-64-1:~/opt#git clone https://github.com/StamusNetworks/scirius.git
root@LTS-64-1:~/opt#cd scirius/
root@LTS-64-1:~/opt/scirius# python manage.py syncdb

Start Scirius

root@LTS-64-1:~/opt/scirius#python manage.py runserver
Validating models...
Failed to setup thread-interrupt handler. This is usually not critical
0 errors found
May 20, 2014 - 19:51:27
Django version 1.6.4, using settings 'scirius.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

If you need to connect to the server remotely (provide your ip)  -

root@LTS-64-1:~/opt/scirius#python manage.py runserver 10.0.10.5:8000
Validating models...
Failed to setup thread-interrupt handler. This is usually not critical
0 errors found
May 20, 2014 - 19:51:58
Django version 1.6.4, using settings 'scirius.settings'
Starting development server at http://10.0.10.5:8000/
Quit the server with CONTROL-C.

Now lets have a walk through registering and adding a ruleset

For example (for the latest stable and dev Suricata) from  http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz since Emerging Threats create, write and distribute specially tuned for Suricata rulesets that make  use of the advanced features of that IDS engine.

First we need to add a source:AddRuleset-1

AddRuleset-0

 

Then we add a ruleset:

 

AddRuleset-2

We need to edit the ruleset and select the categories we want from that ruleset:

 

AddRuleset-3

 

AddRuleset-4

Select categories:

AddRuleset-5

Validate changes:

AddRuleset-6
If you have already Elasticsearch, Logstash, Kibana installed on the same server,
you could do the following -> put in the values as on the picture - except the host name - chose the hostname to be exactly as your hostkey in Elasticsearch/Kibana , like in the pics below.

 

hostkey1 hostkey2

 

Then in Scirius ->

CreatingSuricata-1 CreatingSuricata-2

 

Now you should be able to see the hits and which rules are making the most noise :)

That's it for a quick intro.

 

Peter Manev

Peter Manev is the co-founder and chief strategy officer (CSO) at Stamus Networks. He is a member of the executive team at Open Network Security Foundation (OISF). Peter has over 15 years of experience in the IT industry, including enterprise-level IT security practice. He is a passionate user, developer, and explorer of innovative open-source security software, and he is responsible for training as well as quality assurance and testing on the development team of Suricata – the open-source threat detection engine. Peter is a regular speaker and educator on open-source security, threat hunting, and network security at conferences and live-fire cyber exercises, such as Crossed Swords, DeepSec, Troopers, DefCon, RSA, Suricon, SharkFest, and others. Peter resides in Gothenburg, Sweden.

Schedule a Demo of Stamus Security Platform

REQUEST A DEMO

Related posts

Introducing Clear NDR™

At Stamus Networks, we have always been driven by a commitment to openness, transparency, and...

SELKS 10: The Next Big Leap for Open-Source Network Security

Stamus Networks is pleased to announce the release and availability of SELKS 10, the newest version...