1. Manual update
SELKS performs a daily suricata update (via /etc/crontab). To execute it manually call as www-data (!!!)
NEVER RUN AS ROOT!!!
# /bin/sh -c /bin/bash 'cd /usr/share/python/scirius/ && . bin/activate && python bin/manage.py updatesuricata && deactivate' www-data
2. fast.log rotation
You MUST restart suricata to create a functional fast.log after logrotate. SIGHUP and/or touch + chown don’t work.
3. Rules update.
Change your rules. Do (1.) or do
‘Administration’ -> ‘Suricata’ -> ‘Ruleset actions’ -> check all boxes.
It works NOT via ‘Administration’ -> ‘Rulesets’ -> ‘Update ruleset’.
4. Suppress alerts via Web GUI
‘Administration’ -> ‘Home’ -> ‘Rules activity’ -> Click a SID -> Click the tiny crosses
5. Remove suppressed alerts via Web GUI
‘Administration’ -> ‘Rulesets’ -> ‘View’ -> ‘Suppressions’
6. Elasticsearch indices cleanup:
Open /opt/selks/delete-old-logs.sh and tune the days.
It is executed via /etc/crontab
bytes and bones 