Other SIEM / suricata / zeek / squid SSL Bump

T

tOsYZYny

The thought crossed my mind again about setting up more network monitoring and configure suricata as an IPS as I have more and more devices on my network. I stopped a while back because some devices on my network are unable to set a proxy or trust an SSL certificate.

Is anyone running suricata in IPS mode, I would imagine if you are, you're probably also running other tools like zeek and some sort of SIEM, maybe graylog or ELK? Is this all on a home network? What sort of malicious traffic gets prevented?

I'm interested in both the practical applications and theoretical, but perhaps the practical is easier to understand. What can suricata really help with in a home environment?

EDIT #1:
I came across various videos indicating that squid is not actively maintained and has numerous significant vulnerabilities, so I should probably avoid running that. In the process, I also came across Wazuh as well as zenarmor. Does anyone have any thoughts regarding those tools as well?
 
Last edited:
Suricata and other similar tools was good for 10 years ago. Today.. well.. the problem is that almost everything is encrypted. Suricata do not decrypt traffic, so it can’t see the problems. You can put Suricata on a firewall or similar there you decrypt all the traffic, inspect it and re-encrypt the traffic again (the next generation firewall – witch is a security risk). You see the problem with this “re-encrypt” thing?

You can use Suricata (with is outdated) and other similar tools, but you also need logs, audit and other stuff directly from the servers and computers to get the “encrypted” traffic (if you don’t go the route to decrypt everything – but it doesn’t get the traffic within the segment) to really inspect the environment.
 
Ok, I haven't been in the loop for the past 10+ years, so that makes sense. Yes, I'm aware about the encrypt/reencrypt thing and I suppose that while I trust my SSL certificate, if the something is not done properly at the firewall end, then I'm opening myself up to bigger problems than I would have been without it in the first place.

I believe the conclusion I came to then was using 'common' sense. While I would like to be more lax mentally, the truth of the matter is that we have to be vigilant all the time. Our workplace ran a phishing attempt in December and I feel prey to that. They normally run those only in October. Anyways, there were some red flags I ignored on the email and well, lesson learned.
 
Wazuh is amazing but resource hungry eats 75 GB HDD partition for 3 VM in 3 month.... There is also other stacks like the ELK or HELK...

Anyone not running (ME included I forget stuff) a SIEM and that doesn't read the email headers before reading content in this day and age is crazy.
 
Yes, the 'common' sense is the way to go. Of course, you can and should use technical things to help you. Good fw-rules, running you own DNS-server and blocking a lot of stuff (or run Pi-hole), only text email, not to be login everywhere, multiply browsers and so on.. the list is never ending! It’s all dependence on witch level you want to go, how much freedom you want, how much stuff you are ready to let go..

And the question of good SIEM cost a lot!
- You can buy one and be ruined, or
- Use a “complete” Open Source, there you need to put in a loooooot of time, or
- Build you own SIEM, a loooooot of time.

If you what a SIEM at home, build you own. My recommendation as you get it as you want. If you go Open Source (pre made), well… you can, but (in my opinion).. hmm.. If you want that knowledge for all the time you spend for future jobs, you won't normally find such solutions in business. It’s like Proxmox (or Pi-hole above), it’s good systems, but business don’t use them. That’s why I say, make you own security solutions and get knowledge that you can use in the future.
 
I'm not in cybersecurity, but perhaps I could transition there some day as a retirement gig :). But that's not my motivation, my motivation is to leverage tools as much as possible to make security easier and prevent me from doing something stupid.

Hmm, okay, so sell me on the wazuh side of things. If I understand correctly, since that is running at the client-side of things, it would have access to the unencrypted data prior to it being sent. What is to prevent a malicious piece of software from going around it though?
 
“doing something stupid” lol.. well, we are all humans..

I don’t know who wazuh work. But if is on the server/client side (some program) and root access, then it have every log and can ship them to a SIEM system, or process them on the server it self.
I need/will read about wazuh. :)
 
Wazuh is made of agents, aka an IDS (wazuh) uses ossec, you install that on the client aka endpoint and you have to have 1 wazuh server where its hosting (data is being retrieve/gathered/visualized/sent to)....
You have access to everything regarding endpoint... You have access to all the repo/folder/ registry/files, build filters, check login status/attempt, user behavior, file/folder destruction/create/edits, and a lot of other things... DLP /XDR/UEBA all of that is possible.

Wazuh uses Opensearch instead of the Elastic of the ELK/HELK stack.

Honestly tOsYZYny I don't understand what you're asking regarding unencrypted data on endpoint but I am sure you can do it with wazuh/elk/helk....
 
Ok! Wazuh sounds interesting, have to check that. And yes, as agents it will gather all the logs. Nice that is a SIEM also.

“unencrypted data on endpoint” it was in the beginning of the post = agent, vs if the IDS was on a firewall or other there the traffic was encrypted.
 
If I understand correctly, wazuh just gathers logs, I was hoping to see the raw network traffic coming into and leaving the box as well as which executable is responsible for the traffic.
 
You must log in or register to reply here.
Back
Top