gradiuscypher / grids Goto Github PK

Finish the Suricata Configuration deep dive, as mentioned in this Wiki page: https://github.com/gradiuscypher/grIDS/wiki/Suricata-Container

The Elastic monitoring X-Pack is super helpful for managing Elasticsearch. Should include a guide for setting it up.

nginx proxy for kibana for more control and configuration.

Two things need to be done to ensure that the Elasticsearch Docker containers have enough resources:

• Deploy the Elasticsearch containers with more than once node
• Modify the host vm_max_map to a higher value. Reference here.

Suricata is configured to use a specific interface name. This will more than likely not match other's hardware, so we need a way to change the interface name, either during a script or letting the user know they need to change the interface name.

On the docker configuration when i launch the logstash container it doesnt create an index in kibana.

Ignoring the 'pipelines.yml' file because modules or command line options are specified.
No persistent UUID file found. Generating new UUID.

Would like to write up something to publish events from the IDS platform to webhooks for things like Slack/Discord.

Might also consider leveraging Push Notifications with a platform like Firebase.

The events/sec metric on the IDS Monitoring Dashboard isn't calculating properly.

Automated scripts for each section of setup, using something like Chef/Ansible preferred.

The hardware section is light on details and is a bit hand-wavy. Need to improve this with actual recommendations and some more math behind hardware choices.

Full packet capture along with a useful way of navigating PCAPs.

How to leverage the platform for data exploration and threat hunting.

Setup a graceful way to expire old Elasticsearch documents with configurable rates.

Need to put together some tools for updating the Suricata rules in the Docker container.

Also need to consider actually tuning the rules and picking particular sections of ET's rulesets. Could also write a script to help users pick the right rulesets.

Exploration into machine learning to highlight anomalous traffic.