moloch about wazuh-api HOT 4 CLOSED

Hi @necrose99,

could you explain it in more detail?.

Thanks.

from wazuh-api.

was trying to instance elastic search etc to run additional dashboards , however easier said than done.
Yara rules and yara , malwarehouse , snorby/snort rules > wazuh molloc depends on snort rules. and snort. Suricata Nginx , php 7.1
suricata + elastic +wazuh would be a great paring , nids/siem/etc
moloch would be just an added bonus,
https://github.com/pevma/Suricata-Logstash-Templates/tree/master/Templates
https://blog.reboost.net/suricata-on-pfsense-to-elk-stack/
https://home.regit.org/2013/10/logstash-and-suricata-for-the-old-guys/
http://pevma.blogspot.com/2014/03/suricata-and-grand-slam-of-open-source.html
elastic plug-ins (migration ie auto-migrate... etc RPM bump don't want the stack going bust. ) kopf newer so far is a pain in the arse to build. i have a vm already mostly done ... however its json configs ... with dys... torture to get the to work.

http://ossec.wazuh.com/vm/ossec-vm-2.8.3.ova migrate to wazuh libs. easy enough however can rpm upgrade all but for elasticsearch no 1.x to 2.x migrate plugin is not good. ui will fail. new centos 7 vm , mount drive as readonly , copy data to vm as home/temp for configs etc. firefox settings into /etc/skel as they have the dashboards. favs. and if ldap/ad integration , SOC users ... going to be alot of users.... and for vm's i hate lvm2 as reszing is a pest and even if you do , you run out of diskspce ,
as extents on xfs/ext4 still think disk is x and not 5x larger. so just rsync of a few folder over hear or thier. 18 gig demo vm , kinda a pain...
6.9 vm cant be upgraded. least easily. (forcing 7.x rpms from dvd rpm -UVH force ends catastropicly. )
and trying to prevent security holes
hpe G E S-N e x t-G e n (SEC) so i wont say to much more.
http://www.wazuh.com/professional-services/ , hopefully we get the budget ,.....
but i'd welcome a few open templates to setup the elkstack with wazuh+Suricata at the least.

from wazuh-api.

Hi necrose99,

here we discuss issues related with the API. If you want to propose a VM with Wazuh + ELK + Suricata, the wazuh mailing list is a good option.

Anyway I recommend you to use this MV (ELK + Wazuh): http://ossec.wazuh.com/vm/Wazuh+ELK%2064-bit.ova. Then, you just have to add Suricata.

Thanks for your recommendation, we will consider it.
Regards.

from wazuh-api.

was just asking any recommends for a combined elk stack for differing instance on differing ports (no really great examples when i search for any templates... )
however seems best to separate them out , as if something goes bust , (it would also be painfull to fix and a mess of dep/hells) but a Wazuh/Suricata box would be a good go though, and could push into wazuh manager perhaps.
was trying to save vm space ip's .
however also unless i limited Moloch to capture x hours max (PCAP/Yara/snort) else it will flod virtual disk. (works Asia infra is sporty/ low bandwidth) , its mainly going to forward over to Suricata/Wazuh/greylog (somehow will need to figure) boxes, etc. have them inspect logs for any detection anomalies ... (unfortunately no defined rules for ossec/wazuh in grey-log , mainly for master logger and longer term storage )
instancing elk stack to various ports ie a wazuh view, suricata view , etc, etc... more of a pain in the arse... (Learning curve is woeful no really great examples on how )

Yara Rules/Snort & or taxiI/Stixx feeds would be a plus but noted. to fill dynamic rule conversion...
(some sort of anon wazuh sharing of data feeds.)

for now I've built a VM at home off centos core , and have added X11 gnome, and xfce , and repos .
as a base... , firewall/proxy
https://www.aanval.com/ , hmm...

from wazuh-api.