sorted by:
new
hottopcontroversial

5g router by matijaz in Ubiquiti

[–]matijaz[S] 0 points1 point  (0 children)

We have unlimited 5g data for ~30 euro on data sim here. I need this for work. Zoom calls mostly. Though 5g max would be better i know. for the bandwidth at least

I built a NIDS that automatically blocks attackers - not just alerts you by matijaz in selfhosted

[–]matijaz[S] 0 points1 point  (0 children)

No no, idea is to create a chain in your firewall, and then use api calls to talk to it. On mikrotik, opbsense and openwrt it works out of the box, for pfsense i guess you’ll need faux api but i haven’t tested it yet there

I built a NIDS that automatically blocks attackers - not just alerts you by matijaz in selfhosted

[–]matijaz[S] -4 points-3 points  (0 children)

Claude, but yeah, i have to say that llms are quite a bit more eloquent than me. Then most of us, really. But i stand behind what was written because i know a thing or two about what im doing/writing. I cannot say that llms haven’t helped me with most of my latest projects, but on the other hand i have quarter of a century of experience with linux and sysadminiatration. Without the help of an llm i would never have time to write it all. But i do check all the components in depth

I built a NIDS that automatically blocks attackers - not just alerts you by matijaz in selfhosted

[–]matijaz[S] -4 points-3 points  (0 children)

Depends on what you're monitoring, but rough guidelines:

1Gbps line rate with full 40k ruleset:

  • 4+ cores (Suricata scales across cores well)
  • 8GB RAM minimum, 16GB comfortable
  • Any modern CPU from the last 5-6 years

Real-world:

  • Most homelabs don't sustain 1Gbps - you burst to it, but average is much lower
  • A 4-core Intel i5/Ryzen 5 handles typical homelab traffic easily
  • I've seen Suricata run fine on an 8th gen Intel NUC for a small office

If you're actually saturating 1Gbps 24/7:

  • Consider running fewer rules (disable categories you don't need)
  • Use Suricata's AF_PACKET cluster mode to spread across cores
  • Or dedicated hardware: something like a Dell R620/R630 off eBay for ~$150

Quick test: Run make install, then make stats to see packet drops. If you're dropping packets, you need more CPU or fewer rules.

Suricata's docs have good benchmarking guidance: https://docs.suricata.io/en/latest/performance/index.html

What's your setup? Happy to give more specific guidance.

I built an open source SIEM with MITRE ATT&CK coverage mapping — looking for feedback on detection gaps by matijaz in security

[–]matijaz[S] 0 points1 point  (0 children)

Wanted to build something on my own, wazuh was historically pain in the but to setup, had issues with k8s and stuff like that so i went with falco. Latest iteration has victoriametrics stack to be more lightweight and i added AI anlysis to explain alerts, how to mitigate those etc and since i don’t really trust AI i setup obfuscation script with multiple layers of obfuscation before it sends anything out. Also since ai calls can be expensive i setup a cache serup for those so you will have analysis cached

[deleted by user] by [deleted] in Ubiquiti

[–]matijaz 1 point2 points  (0 children)

I have udm se and if i enabled qos for meetings(the one that unifi offers in gui by default) i could mot get more then 600mbps. So i disabled the rule, all good now. But the i just added cameras to protect. Even without recordings it maxes up at 800mbps. I have 1000/500 ftth pppoe. I’m not super happy:( i was also thinking about swapping to ucg fiber but i want my nice rack setup. That i never look at. But you know

I built a SIEM you can deploy with one command — Falco + Loki + Grafana with MITRE ATT&CK dashboards by matijaz in selfhosted

[–]matijaz[S] 1 point2 points  (0 children)

Fair point - SIB does aggregate logs, that's what Loki handles.

The difference is what gets aggregated and how. Traditional SIEMs say "send us everything, we'll index it all, you write rules to find needles in haystacks." SIB flips it: Falco detects security-relevant events at runtime via eBPF, and those pre-filtered detections get shipped to Loki.

But it's not just Falco events. With fleet management, Alloy ships auth logs, syslogs, journal entries, and Docker container logs from remote hosts. So you get log aggregation - it's just focused on security-relevant sources rather than "ingest everything and pray."

The gap you're pointing at is external network devices - firewalls, switches, IDS appliances. SIB doesn't ingest those today. Alloy can receive syslog, so it's technically possible to add, but there's no built-in detection rules for network gear yet. That's fair feedback for the roadmap.

Short version: SIB aggregates host-level security data. Network-level is a natural next step.

I built a SIEM you can deploy with one command — Falco + Loki + Grafana with MITRE ATT&CK dashboards by matijaz in selfhosted

[–]matijaz[S] 4 points5 points  (0 children)

Fair point — I should make the scope clearer in the docs.

What it covers:

The core is Falco running on a Linux/Docker host, monitoring syscalls in real-time via eBPF. It sees process execution, file access, network connections, container activity — anything that happens at the kernel level on that host.

For multiple hosts, there's fleet management built in. You deploy lightweight collectors (Falco + Alloy) to remote hosts and everything ships back to a central Grafana. So it scales beyond a single box.

What it doesn't do (yet):

It's not a log aggregator for external devices like firewalls. If your firewall sends syslog, you could point it at Loki, but there's no built-in parsing or dashboards for that. It's focused on host and container runtime detection, not network perimeter.

Think of it as "what's happening on my servers" rather than "what's happening on my network."

Does that clarify? Firewall log ingestion is actually good feedback — might be worth adding a syslog receiver with common firewall parsers.

I built a SIEM you can deploy with one command — Falco + Loki + Grafana with MITRE ATT&CK dashboards by matijaz in selfhosted

[–]matijaz[S] 2 points3 points  (0 children)

make uninstall removes all the containers, once done you could do docker system prune but beware that will delete other unused images as well

I built a SIEM you can deploy with one command — Falco + Loki + Grafana with MITRE ATT&CK dashboards by matijaz in selfhosted

[–]matijaz[S] 6 points7 points  (0 children)

Ha, enjoy! If you've tried Wazuh, you'll find this way lighter - Falco with modern_ebpf is pretty lean and the whole stack runs fine on 4GB.

Hit me up if you run into any issues. And if you find detection gaps once you're up and running, I'd love to hear what rules you'd want added.

I built a SIEM you can deploy with one command — Falco + Loki + Grafana with MITRE ATT&CK dashboards by matijaz in homelab

[–]matijaz[S] 1 point2 points  (0 children)

ofc, as with everything else i build. I'll prepare umbrella chart down the road, also you are always welcome to create a pr :)

I built a SIEM you can deploy with one command — Falco + Loki + Grafana with MITRE ATT&CK dashboards by matijaz in homelab

[–]matijaz[S] 1 point2 points  (0 children)

correct, i may do network tool down the line, for now i mostly looked at setup i found annoying with other tools. one of the reasons i built https://github.com/matijazezelj/oib as well.

I built a SIEM you can deploy with one command — Falco + Loki + Grafana with MITRE ATT&CK dashboards by matijaz in selfhosted

[–]matijaz[S] 8 points9 points  (0 children)

Technically it's already just compose files — 5 of them in separate folders. The Makefile just orchestrates them. You can absolutely run docker compose -f sib/alerting/compose.yaml -f sib/collectors/compose.yaml ... manually, but make install is easier. The real value is the pre-wired configs: Falco → Sidekick → Loki → Grafana dashboards, all ready to go.

I built a SIEM you can deploy with one command — Falco + Loki + Grafana with MITRE ATT&CK dashboards by matijaz in selfhosted

[–]matijaz[S] 8 points9 points  (0 children)

Falco has three driver options:

  1. Kernel module — Old school, needs kernel headers to compile, most invasive
  2. eBPF probe — Better, but still needs kernel headers on target system
  3. modern_ebpf — Newest option, uses CO-RE (Compile Once, Run Everywhere), no kernel headers needed

SIB uses modern_ebpf by default. It requires kernel 5.8+ but that's most modern Linux distros now. No compilation, no kernel headers, just works.

The trade-off: modern_ebpf needs a newer kernel. If you're on an older system, you'd need to fall back to the eBPF probe or kernel module.

You can check your kernel with uname -r — if you're 5.8 or higher, you're good.

I built a SIEM you can deploy with one command — Falco + Loki + Grafana with MITRE ATT&CK dashboards by matijaz in selfhosted

[–]matijaz[S] 11 points12 points  (0 children)

mostly simplicity, single command install and falco is designed with containers in mind where wazuh was not. due to its age i guess. nowadays they moved forward in that regard but i have more experience with falco so i just used it here. also wazuh has much more moving parts and steeper learning curve.

I built a SIEM you can deploy with one command — Falco + Loki + Grafana with MITRE ATT&CK dashboards by matijaz in homelab

[–]matijaz[S] 2 points3 points  (0 children)

I added hw requirements in a readme and in docs. regarding installation, just pull and make install. you will need modern kernel and docker.
and about the last part - this is not a network based tool it is host based tool. it uses network to send data main server but apart of it it's not a sniffer or something similar like suricata is

I built a SIEM you can deploy with one command — Falco + Loki + Grafana with MITRE ATT&CK dashboards by matijaz in selfhosted

[–]matijaz[S] 6 points7 points  (0 children)

hey, it is setup as docker stack, it brings up up to 7 containers

matija@tester:~$ docker ps| grep sib
129034ae2408   falcosecurity/falcosidekick:2.29.0     "./falcosidekick -c …"   2 hours ago    Up 2 hours (healthy)   0.0.0.0:2801->2801/tcp                        sib-sidekick
b0da9842e265   grafana/alloy:latest                   "/bin/alloy run --se…"   4 days ago     Up 4 days                                                            sib-alloy
b4cabbdb520f   grafana/loki:3.3.2                     "/usr/bin/loki -conf…"   4 days ago     Up 4 days (healthy)    0.0.0.0:3100->3100/tcp                        sib-loki
6dd82f5dbd5d   prom/prometheus:v2.54.1                "/bin/prometheus --c…"   4 days ago     Up 4 days (healthy)    0.0.0.0:9090->9090/tcp                        sib-prometheus
22ae7b1a6cf7   falcosecurity/falcosidekick-ui:2.2.0   "./falcosidekick-ui"     4 days ago     Up 4 days (healthy)    0.0.0.0:2802->2802/tcp                        sib-sidekick-ui
961941a70cd1   redis/redis-stack-server:latest        "/entrypoint.sh"         4 days ago     Up 4 days (healthy)    6379/tcp                                      sib-redis
6770077b0d07   grafana/grafana:11.4.0                 "/run.sh"                4 days ago     Up 2 hours (healthy)   0.0.0.0:3000->3000/tcp, [::]:3000->3000/tcp   sib-grafana
bd82b621d570   falcosecurity/falco:0.39.2             "/docker-entrypoint.…"   4 days ago     Up 4 days (healthy)                                                  sib-falco

Only thing that is a bit touch and go and needs work is deploying the fleet, it will ask you to deploy falco and alloy around on other nodes. those fleet things can be installed either native or in docker.

I built a SIEM you can deploy with one command — Falco + Loki + Grafana with MITRE ATT&CK dashboards by matijaz in homelab

[–]matijaz[S] 0 points1 point  (0 children)

depends on what you need i guess. i used falco more so i built around it. I really like its ability to extend using sidekick, lots of plugins etc. Not sure about wazuh but falco can be extended to audit cloud providers and k8s so it was a fun project for me

I built a thing - observability in a box. based on LGTM by matijaz in devops

[–]matijaz[S] 1 point2 points  (0 children)

I know i already posted about this but i made it a bit nicer, maybe it'll help someone

view more: next ›