The filter address substitution function does not work.

[kib373417]

good day
After updating the iso version to the latest, the function of adding an ip address disappeared
the filter (events viewer) does not match the selected address from (IP and Time Stats)

Screenshots
https://ibb.co/XpP5fRZ
https://ibb.co/sRqVJHj

[pevma]

Where do you experience this problem which application ? (I don't see any screenshots attached, just FYI)

[kib373417]

Where do you experience this problem which application ? (I don't see any screenshots attached, just FYI)

Sorry, corrected the link to the screenshots.
In evebox, the filter does not include the string (src_ip: "x. x.x. x") from the section (Rules activity => IP and Time Stats => click Source IP)

[pevma]

Think that is working in the latest scirius version.
What is the result of

dpkg -l |grep scirius

?

[kib373417]

Think that is working in the latest scirius version.
What is the result of

dpkg -l |grep scirius

?

root@SELKS:~# dpkg -l |grep scirius
ii  scirius                         3.5.0-3                      amd64        Django application to manage Suricata ruleset

[pevma]

Can you try that pkg as described here - form our testing repo -
StamusNetworks/scirius#224 (comment)
?

[kib373417]

Can you try that pkg as described here - form our testing repo -
StamusNetworks/scirius#224 (comment)
?

I have updated scirius according to the instructions.

Unfortunately, the problem with the empty filter has nowhere disappeared. :(

Now I have this result:

root@SELKS:~# dpkg -l |grep scirius
ii  scirius                         3.7.0-1                      amd64        Django application to manage Suricata ruleset

and

root@SELKS:~# selks-upgrade_stamus
NOTE:
Depending on the size and how busy the system is the upgrade may take a while.
Starting the upgrade sequence...

Hit:1 http://packages.stamus-networks.com/selks6/debian buster InRelease
Hit:2 http://packages.stamus-networks.com/selks6/debian-kernel buster InRelease
Hit:3 http://packages.stamus-networks.com/selks6/debian-test buster InRelease
Ign:4 https://download.webmin.com/download/repository sarge InRelease
Hit:5 https://download.webmin.com/download/repository sarge Release
Hit:7 https://artifacts.elastic.co/packages/7.x/apt stable InRelease
Hit:8 https://packages.elastic.co/curator/5/debian9 stable InRelease
Hit:9 http://evebox.org/files/debian stable InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
selks-scripts-stamus is already the newest version (2020121401).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
NOTE:
Starting second stage upgrade sequence...

Hit:1 https://artifacts.elastic.co/packages/7.x/apt stable InRelease
Hit:2 https://packages.elastic.co/curator/5/debian9 stable InRelease
Hit:4 http://packages.stamus-networks.com/selks6/debian buster InRelease
Hit:5 http://packages.stamus-networks.com/selks6/debian-kernel buster InRelease
Hit:3 http://evebox.org/files/debian stable InRelease
Hit:6 http://packages.stamus-networks.com/selks6/debian-test buster InRelease
Ign:7 https://download.webmin.com/download/repository sarge InRelease
Hit:8 https://download.webmin.com/download/repository sarge Release
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
scirius: stopped
scirius: started
dpkg: error: --compare-versions takes three arguments: <version> <relation> <version>

Type dpkg --help for help about installing and deinstalling packages [*];
Use 'apt' or 'aptitude' for user-friendly package management;
Type dpkg -Dhelp for a list of dpkg debug flag values;
Type dpkg --force-help for a list of forcing options;
Type dpkg-deb --help for help about manipulating *.deb files;

Options marked [*] produce a lot of output - pipe it through 'less' or 'more' !

And now Cyberchef has been added to the selks menu, but it shows 404 Not Found

Аnd the problem with displaying these tabs, they got blank (Ghrome, Edge, Firefox)

[pevma]

Cyberchef - was always there if pcap capture mode is present but now it has a link.
Do you use the packet capture option ? (or maybe used to use it and disable it after?)

What is the output of selks- health-check_stamus?

[pevma]

Additional comments (thanks @regit ):
You can disable enable the new link via :

CYBERCHEF_URL = '/static/cyberchef/'
USE_CYBERCHEF = True

in /etc/scirius/local_settings.py

Another question as well - do you have any additional security software installed - like xpack etc ? (that might need configuring)

[kib373417]

Cyberchef - was always there if pcap capture mode is present but now it has a link.
Do you use the packet capture option ? (or maybe used to use it and disable it after?)

What is the output of selks- health-check_stamus?

It's just that before the update (scirius 3.7.0-1) there was no icon at all. We do not use the capture mode. If Cyberchef is needed only for this mode, then we will not use it for now.

 /etc/suricata/suricata.yaml
 - pcap-log:
      enabled: no

root@SELKS:~# 

- #
- selks-health-check_stamus
● suricata.service - LSB: Next Generation IDS/IPS
   Loaded: loaded (/etc/init.d/suricata; generated)
   Active: active (running) since Wed 2021-05-12 02:08:39 MSK; 8h ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1528 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCC                                                                                                                                                             ESS)
    Tasks: 198 (limit: 4915)
   Memory: 5.3G
   CGroup: /system.slice/suricata.service
           └─2061 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /v…

May 12 02:08:39 SELKS systemd[1]: Starting LSB: Next Generation IDS/IPS...
May 12 02:08:39 SELKS suricata[1528]: Starting suricata in IDS (af-packet) …one.
May 12 02:08:39 SELKS systemd[1]: Started LSB: Next Generation IDS/IPS.
Hint: Some lines were ellipsized, use -l to show in full.
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor pr                                                                                                                                                             eset: enabled)
   Active: active (running) since Wed 2021-05-12 02:09:05 MSK; 8h ago
     Docs: https://www.elastic.co
 Main PID: 1533 (java)
    Tasks: 200 (limit: 4915)
   Memory: 38.0G
   CGroup: /system.slice/elasticsearch.service
           ├─1533 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.netwo…
           └─2271 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86…

May 12 02:08:39 SELKS systemd[1]: Starting Elasticsearch...
May 12 02:09:05 SELKS systemd[1]: Started Elasticsearch.
● logstash.service - logstash
   Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset:                                                                                                                                                              enabled)
   Active: active (running) since Wed 2021-05-12 02:08:34 MSK; 8h ago
 Main PID: 645 (java)
    Tasks: 101 (limit: 4915)
   Memory: 1.2G
   CGroup: /system.slice/logstash.service
           └─645 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g -XX:+UseConcMar…

May 12 02:09:08 SELKS logstash[645]: [2021-05-12T02:09:08,198][INFO ][logstash.…
May 12 02:09:08 SELKS logstash[645]: [2021-05-12T02:09:08,225][INFO ][logst…tash
May 12 02:09:08 SELKS logstash[645]: [2021-05-12T02:09:08,227][INFO ][logst…tash
May 12 02:09:08 SELKS logstash[645]: [2021-05-12T02:09:08,823][INFO ][logst…db"}
May 12 02:09:09 SELKS logstash[645]: [2021-05-12T02:09:09,168][INFO ][logst…db"}
May 12 02:09:09 SELKS logstash[645]: [2021-05-12T02:09:09,297][INFO ][logstash.…
May 12 02:09:12 SELKS logstash[645]: [2021-05-12T02:09:12,360][INFO ][logst….05}
May 12 02:09:13 SELKS logstash[645]: [2021-05-12T02:09:13,036][INFO ][logst…in"}
May 12 02:09:13 SELKS logstash[645]: [2021-05-12T02:09:13,107][INFO ][logst…>[]}
May 12 02:09:13 SELKS logstash[645]: [2021-05-12T02:09:13,115][INFO ][filew…ions
Hint: Some lines were ellipsized, use -l to show in full.
● kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: e                                                                                                                                                             nabled)
   Active: active (running) since Wed 2021-05-12 02:08:39 MSK; 8h ago
     Docs: https://www.elastic.co
 Main PID: 1523 (node)
    Tasks: 11 (limit: 4915)
   Memory: 543.4M
   CGroup: /system.slice/kibana.service
           └─1523 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/…

May 12 02:08:39 SELKS systemd[1]: Started Kibana.
● evebox.service - EveBox Server
   Loaded: loaded (/lib/systemd/system/evebox.service; enabled; vendor preset: e                                                                                                                                                             nabled)
   Active: active (running) since Wed 2021-05-12 02:08:34 MSK; 8h ago
 Main PID: 656 (evebox)
    Tasks: 25 (limit: 4915)
   Memory: 25.8M
   CGroup: /system.slice/evebox.service
           └─656 /usr/bin/evebox server

May 12 02:08:34 SELKS systemd[1]: Started EveBox Server.
May 12 02:08:34 SELKS evebox[656]: 2021-05-12 02:08:34  INFO evebox::versio…musl
May 12 02:08:34 SELKS evebox[656]: 2021-05-12 02:08:34  INFO evebox::server…base
May 12 02:08:34 SELKS evebox[656]: 2021-05-12 02:08:34  INFO evebox::sqlite…n -1
May 12 02:08:34 SELKS evebox[656]: 2021-05-12 02:08:34  INFO evebox::sqlite…gdb)
May 12 02:08:34 SELKS evebox[656]: 2021-05-12 02:08:34  INFO evebox::sqlite…gdb)
May 12 02:08:34 SELKS evebox[656]: 2021-05-12 02:08:34 ERROR evebox::server…111)
May 12 02:08:34 SELKS evebox[656]: 2021-05-12 02:08:34  INFO evebox::server…alse
May 12 02:09:12 SELKS evebox[656]: 2021-05-12 02:09:12  INFO evebox::server…user
Hint: Some lines were ellipsized, use -l to show in full.
● molochviewer-selks.service - Moloch Viewer
   Loaded: loaded (/etc/systemd/system/molochviewer-selks.service; enabled; vend                                                                                                                                                             or preset: enabled)
   Active: active (running) since Wed 2021-05-12 02:10:13 MSK; 8h ago
 Main PID: 2908 (sh)
    Tasks: 12 (limit: 4915)
   Memory: 47.2M
   CGroup: /system.slice/molochviewer-selks.service
           ├─2908 /bin/sh -c /data/moloch/bin/node viewer.js -c /data/moloch/et…
           └─2909 /data/moloch/bin/node viewer.js -c /data/moloch/etc/config.ini

May 12 02:10:13 SELKS systemd[1]: Started Moloch Viewer.
● molochpcapread-selks.service - Moloch Pcap Read
   Loaded: loaded (/etc/systemd/system/molochpcapread-selks.service; enabled; ve                                                                                                                                                             ndor preset: enabled)
   Active: active (running) since Wed 2021-05-12 02:10:04 MSK; 8h ago
 Main PID: 2867 (sh)
    Tasks: 5 (limit: 4915)
   Memory: 262.9M
   CGroup: /system.slice/molochpcapread-selks.service
           ├─2867 /bin/sh -c /data/moloch/bin/moloch-capture -c /data/moloch/et…
           └─2868 /data/moloch/bin/moloch-capture -c /data/moloch/etc/config.in…

May 12 02:10:04 SELKS systemd[1]: Started Moloch Pcap Read.
scirius                          RUNNING   pid 2062, uptime 8:28:56
ii  elasticsearch                   7.12.1                       amd64        Di                                                                                                                                                             stributed RESTful search engine built for the cloud
ii  elasticsearch-curator           5.8.4                        amd64        Ha                                                                                                                                                             ve indices in Elasticsearch? This is the tool for you!\n\nLike a museum curator                                                                                                                                                              manages the exhibits and collections on display, \nElasticsearch Curator helps y                                                                                                                                                             ou curate, or manage your indices.
ii  evebox                          1:0.13.1                     amd64        no                                                                                                                                                              description given
ii  kibana                          7.12.1                       amd64        Ex                                                                                                                                                             plore and visualize your Elasticsearch data
ii  kibana-dashboards-stamus        2020122001                   amd64        Ki                                                                                                                                                             bana 6 dashboard templates.
ii  logstash                        1:7.12.1-1                   amd64        An                                                                                                                                                              extensible logging pipeline
ii  moloch                          2.7.1-1                      amd64        Mo                                                                                                                                                             loch Full Packet System
ii  scirius                         3.7.0-1                      amd64        Dj                                                                                                                                                             ango application to manage Suricata ruleset
ii  suricata                        1:2021050601-0stamus0        amd64        Su                                                                                                                                                             ricata open source multi-thread IDS/IPS/NSM system.
Filesystem     Type      Size  Used Avail Use% Mounted on
udev           devtmpfs   44G     0   44G   0% /dev
tmpfs          tmpfs     8.7G  9.0M  8.7G   1% /run
/dev/sda1      ext4      104G   54G   47G  54% /
tmpfs          tmpfs      44G     0   44G   0% /dev/shm
tmpfs          tmpfs     5.0M     0  5.0M   0% /run/lock
tmpfs          tmpfs      44G     0   44G   0% /sys/fs/cgroup
tmpfs          tmpfs     8.7G     0  8.7G   0% /run/user/1000
root@SELKS:~# selks-health-check_stamus
● suricata.service - LSB: Next Generation IDS/IPS
   Loaded: loaded (/etc/init.d/suricata; generated)
   Active: active (running) since Wed 2021-05-12 02:08:39 MSK; 8h ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1528 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)
    Tasks: 198 (limit: 4915)
   Memory: 5.3G
   CGroup: /system.slice/suricata.service
           └─2061 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -v --user=logstash

May 12 02:08:39 SELKS systemd[1]: Starting LSB: Next Generation IDS/IPS...
May 12 02:08:39 SELKS suricata[1528]: Starting suricata in IDS (af-packet) mode... done.
May 12 02:08:39 SELKS systemd[1]: Started LSB: Next Generation IDS/IPS.
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2021-05-12 02:09:05 MSK; 8h ago
     Docs: https://www.elastic.co
 Main PID: 1533 (java)
    Tasks: 200 (limit: 4915)
   Memory: 38.0G
   CGroup: /system.slice/elasticsearch.service
           ├─1533 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -…
           └─2271 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

May 12 02:08:39 SELKS systemd[1]: Starting Elasticsearch...
May 12 02:09:05 SELKS systemd[1]: Started Elasticsearch.
● logstash.service - logstash
   Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2021-05-12 02:08:34 MSK; 8h ago
 Main PID: 645 (java)
    Tasks: 101 (limit: 4915)
   Memory: 1.2G
   CGroup: /system.slice/logstash.service
           └─645 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djruby.compile.invokedynami…

May 12 02:09:08 SELKS logstash[645]: [2021-05-12T02:09:08,198][INFO ][logstash.outputs.elasticsearch][main] Attempting to install template {:manage_template=>{"template"=>"logstash-*", "version"=>60001, "settings"=>{"number_of_replicas"…
May 12 02:09:08 SELKS logstash[645]: [2021-05-12T02:09:08,225][INFO ][logstash.outputs.elasticsearch][main] Installing elasticsearch template to _template/logstash
May 12 02:09:08 SELKS logstash[645]: [2021-05-12T02:09:08,227][INFO ][logstash.outputs.elasticsearch][main] Installing elasticsearch template to _template/logstash
May 12 02:09:08 SELKS logstash[645]: [2021-05-12T02:09:08,823][INFO ][logstash.filters.geoip   ][main] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.5-java…GeoLite2-City.mmdb"}
May 12 02:09:09 SELKS logstash[645]: [2021-05-12T02:09:09,168][INFO ][logstash.filters.geoip   ][main] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.5-java…GeoLite2-City.mmdb"}
May 12 02:09:09 SELKS logstash[645]: [2021-05-12T02:09:09,297][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>24, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.ma…
May 12 02:09:12 SELKS logstash[645]: [2021-05-12T02:09:12,360][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>3.05}
May 12 02:09:13 SELKS logstash[645]: [2021-05-12T02:09:13,036][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
May 12 02:09:13 SELKS logstash[645]: [2021-05-12T02:09:13,107][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
May 12 02:09:13 SELKS logstash[645]: [2021-05-12T02:09:13,115][INFO ][filewatch.observingtail  ][main][d4aef1d642dafd3cc0ec28e9e79530daa4bc5c58ba6b725806ceff6c4cfb1cf0] START, creating Discoverer, Watch with file and sincedb collections
Hint: Some lines were ellipsized, use -l to show in full.
● kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2021-05-12 02:08:39 MSK; 8h ago
     Docs: https://www.elastic.co
 Main PID: 1523 (node)
    Tasks: 11 (limit: 4915)
   Memory: 543.7M
   CGroup: /system.slice/kibana.service
           └─1523 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist --logging.dest=/var/log/kibana/kibana.log --pid.file=/run/kibana/kibana.pid

May 12 02:08:39 SELKS systemd[1]: Started Kibana.
● evebox.service - EveBox Server
   Loaded: loaded (/lib/systemd/system/evebox.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2021-05-12 02:08:34 MSK; 8h ago
 Main PID: 656 (evebox)
    Tasks: 25 (limit: 4915)
   Memory: 25.8M
   CGroup: /system.slice/evebox.service
           └─656 /usr/bin/evebox server

May 12 02:08:34 SELKS systemd[1]: Started EveBox Server.
May 12 02:08:34 SELKS evebox[656]: 2021-05-12 02:08:34  INFO evebox::version: This is EveBox version 0.13.1 (rev: 0dbcb12); x86_64-unknown-linux-musl
May 12 02:08:34 SELKS evebox[656]: 2021-05-12 02:08:34  INFO evebox::server::main: Using temporary in-memory configuration database
May 12 02:08:34 SELKS evebox[656]: 2021-05-12 02:08:34  INFO evebox::sqlite::init: Found event database schema version -1
May 12 02:08:34 SELKS evebox[656]: 2021-05-12 02:08:34  INFO evebox::sqlite::init: Initializing SQLite database (configdb)
May 12 02:08:34 SELKS evebox[656]: 2021-05-12 02:08:34  INFO evebox::sqlite::init: Updating SQLite database to schema version 1 (configdb)
May 12 02:08:34 SELKS evebox[656]: 2021-05-12 02:08:34 ERROR evebox::server::main: Failed to get Elasticsearch version, things may not work right: error=request: error sending request for url (http://localhost:9200/)…fused (os error 111)
May 12 02:08:34 SELKS evebox[656]: 2021-05-12 02:08:34  INFO evebox::server::main: Starting server on 127.0.0.1:5636, tls=false
May 12 02:09:12 SELKS evebox[656]: 2021-05-12 02:09:12  INFO evebox::server::main: Creating anonymous session for user from 127.0.0.1 with name selks-user
Hint: Some lines were ellipsized, use -l to show in full.
● molochviewer-selks.service - Moloch Viewer
   Loaded: loaded (/etc/systemd/system/molochviewer-selks.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2021-05-12 02:10:13 MSK; 8h ago
 Main PID: 2908 (sh)
    Tasks: 12 (limit: 4915)
   Memory: 47.2M
   CGroup: /system.slice/molochviewer-selks.service
           ├─2908 /bin/sh -c /data/moloch/bin/node viewer.js -c /data/moloch/etc/config.ini >> /data/moloch/logs/viewer.log 2>&1
           └─2909 /data/moloch/bin/node viewer.js -c /data/moloch/etc/config.ini

May 12 02:10:13 SELKS systemd[1]: Started Moloch Viewer.
● molochpcapread-selks.service - Moloch Pcap Read
   Loaded: loaded (/etc/systemd/system/molochpcapread-selks.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2021-05-12 02:10:04 MSK; 8h ago
 Main PID: 2867 (sh)
    Tasks: 5 (limit: 4915)
   Memory: 262.9M
   CGroup: /system.slice/molochpcapread-selks.service
           ├─2867 /bin/sh -c /data/moloch/bin/moloch-capture -c /data/moloch/etc/config.ini -m -s -R /data/nsm/  >> /data/moloch/logs/capture.log 2>&1
           └─2868 /data/moloch/bin/moloch-capture -c /data/moloch/etc/config.ini -m -s -R /data/nsm/

May 12 02:10:04 SELKS systemd[1]: Started Moloch Pcap Read.
scirius                          RUNNING   pid 2062, uptime 8:29:08
ii  elasticsearch                   7.12.1                       amd64        Distributed RESTful search engine built for the cloud
ii  elasticsearch-curator           5.8.4                        amd64        Have indices in Elasticsearch? This is the tool for you!\n\nLike a museum curator manages the exhibits and collections on display, \nElasticsearch Curator helps you curate, or manage your indices.
ii  evebox                          1:0.13.1                     amd64        no description given
ii  kibana                          7.12.1                       amd64        Explore and visualize your Elasticsearch data
ii  kibana-dashboards-stamus        2020122001                   amd64        Kibana 6 dashboard templates.
ii  logstash                        1:7.12.1-1                   amd64        An extensible logging pipeline
ii  moloch                          2.7.1-1                      amd64        Moloch Full Packet System
ii  scirius                         3.7.0-1                      amd64        Django application to manage Suricata ruleset
ii  suricata                        1:2021050601-0stamus0        amd64        Suricata open source multi-thread IDS/IPS/NSM system.
Filesystem     Type      Size  Used Avail Use% Mounted on
udev           devtmpfs   44G     0   44G   0% /dev
tmpfs          tmpfs     8.7G  9.0M  8.7G   1% /run
/dev/sda1      ext4      104G   54G   47G  54% /
tmpfs          tmpfs      44G     0   44G   0% /dev/shm
tmpfs          tmpfs     5.0M     0  5.0M   0% /run/lock
tmpfs          tmpfs      44G     0   44G   0% /sys/fs/cgroup
tmpfs          tmpfs     8.7G     0  8.7G   0% /run/user/1000
root@SELKS:~#

[kib373417]

Additional comments (thanks @regit ):
You can disable enable the new link via :

CYBERCHEF_URL = '/static/cyberchef/'
USE_CYBERCHEF = True

in /etc/scirius/local_settings.py

Another question as well - do you have any additional security software installed - like xpack etc ? (that might need configuring)

I update only through the selks-upgrade_stamus command, no additional security packages were installed.

Additional information on the issue of blank pages. when you point to a plot, a legend appears. Screenshot attached:

Here, people also have similar problems after the update. But their solutions didn't work for me.
#291

[pevma]

As a test - can you please try clearing your browser cache ?

[pevma]

Just to confirm - you also have this - https://github.com/StamusNetworks/SELKS/wiki/Kibana-did-not-load-properly in pace correctly and data is populating in Kibana dashboards - lets say SN-ALERTS?

[kib373417]

As a test - can you please try clearing your browser cache ?

Yes, I was doing cache clearing.

[kib373417]

Just to confirm - you also have this - https://github.com/StamusNetworks/SELKS/wiki/Kibana-did-not-load-properly in pace correctly and data is populating in Kibana dashboards - lets say SN-ALERTS?

This is how I changed the config right after updating the installation of the iso distribution. Now it is exactly the same as the link.
Yes, all data is filled in Kibana dashboards. In Kibana, I see events and alerts.

[pevma]

How do you access it? localhost or hostname / IP ?

[kib373417]

How do you access it? localhost or hostname / IP ?

Access by hostname / ip

[pevma]

I think seems a bug as reported here - StamusNetworks/scirius#233 (comment).
We should push a fix soon.

[kib373417]

I think seems a bug as reported here - StamusNetworks/scirius#233 (comment).
We should push a fix soon.

Yes, this is exactly such a mistake. I will wait for the correction. Thanks.

And what about the first problem, the beginning of the topic? Is it worth waiting for her fix in the update too?

[pevma]

It is not in the filter but it is in the url (172.16.9.5 in this case below) and should work as expected. I can't seem to reproduce it here.

[kib373417]

Filtering by url also does not work (. Here's an example:

1. I want to see the data for src_ip 89.248.165.202. I click on it. I get to the evebox page.
   There is a request with it in the address bar (https: // selks / evebox / # / events; q = src_ip:% 2289.248.165.202% 22), but it is not displayed on the page. A list of data is displayed, in which it simply does not exist. Browser search doesn't find it. Filtration didn't work.
   
   

================================
2. Next, I select the Alert filter (https: // selks / evebox / # / events; q = src_ip:% 2289.248.165.202% 22; eventType = alert).
There are only two correct entries from the entire output page !!! (on the page, these two correct lines were below and did not appear in the screenshot), the rest of the lines should not get into this output at all, but they turned out to be a whole page.

================================
3. Here I already manually put in the filter field src_ip 89.248.165.202 (Before the update, this is how it worked, the address was immediately put in this field. )
The page address has become (https: // selks / evebox / # / events; q = src_ip:% 2289.248.165.202% 22; eventType = alert? Q = src_ip:% 2289.248.165.202% 22)

And only now the filter worked correctly !!! Now the records after the filter are only needed.

[pevma]

Thanks for the pointer.
We need to fix the link URL to address the change.
We'll do that !

[pevma]

thanks @jasonish for the quick replay too !

[kib373417]

Thank you. We are waiting for updates.

[pevma]

@kib373417 - can you please try to upgrade again , pushed a new package to the testing repo that should take care of this.

[kib373417]

@kib373417 - can you please try to upgrade again , pushed a new package to the testing repo that should take care of this.

Made an update. Now everything is OK, filtering works, graphs are visible.
Thanks for corrections.

[pevma]

Great to hear !
Thank you for the feedback!