Debian12.11 : Suricata + Elastic Stackでログの可視化とモニタリング

Contents

前提条件
1台目サーバー　Suricata インストール

前提条件

今回はSuricata IDS と ElasticStack を次のサーバーにインストールします
・1台目サーバー　Suricata IDS & Filebeat　: Debian12.11 IPアドレス(192.168.11.83)
・2台目サーバー　ElasticStack & kibana　: Ubuntu24.04 IPアドレス(192.168.11.85)
root以外のsudoユーザーで実行する

1台目サーバー　Suricata インストール

SURICATA IDS/IPSはネットワーク上の通信を監視し、不審なトラフィックを検知するオープンソースのIDSです。基本的な仕組みはシグネチャ型であるため、あらかじめ設定した不正な通信を検知できます。また、Suricataは検知だけでなく防御も行えることが特徴です。

1.Suricata のインストール

①必須パッケージをインストール

# apt -y install wget curl software-properties-common dirmngr apt-transport-https gnupg2 ca-certificates lsb-release debian-archive-keyring unzip

1	# apt -y install wget curl software-properties-common dirmngr apt-transport-https gnupg2 ca-certificates lsb-release debian-archive-keyring unzip

➁Suricata のインストール

# apt update
# apt -y install suricata

1 2	# apt update # apt -y install suricata

バージョンの確認

# suricata -V
This is Suricata version 6.0.10 RELEASE

1 2	# suricata -V This is Suricata version 6.0.10 RELEASE

システムの再起動時に実行されるように suricata.service を有効にします

# systemctl enable suricata.service

Synchronizing state of suricata.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable suricata

# systemctl enable suricata.service

Synchronizing state of suricata.service with SysV service script with /lib/systemd/systemd-sysv-install.

Executing: /lib/systemd/systemd-sysv-install enable suricata

Suricataサービスを最初に構成する必要があるため、サービスを停止します。

# systemctl stop suricata.service

1	# systemctl stop suricata.service

2.Suricataを構成

①Suricataがネットワークパケットを検査するインターフェースとIPアドレスを決定

# ip --brief add
lo               UNKNOWN        127.0.0.1/8 ::1/128
ens33            UP             192.168.11.83/24 fe80::20c:29ff:febf:c38f/64

# ip --brief add

lo UNKNOWN 127.0.0.1/8 ::1/128

ens33 UP 192.168.11.83/24 fe80::20c:29ff:febf:c38f/64

/etc/suricata/suricata.yamlファイル編集

# vi /etc/suricata/suricata.yaml
 
# 18行目 : 変更(自ネットワーク)
HOME_NET: "[192.168.11.0/24]"

# 132行目 : 変更
community-id: false　→　community-id: true

# 589行目 : 変更
af-packet:
  - interface: eth0
↓
af-packet:
  - interface: ens33 ←各自のインターフェース名に変更

# vi /etc/suricata/suricata.yaml

# 18行目 : 変更(自ネットワーク)

HOME_NET: "[192.168.11.0/24]"

# 132行目 : 変更

community-id: false　→　community-id: true

# 589行目 : 変更

af-packet:

- interface: eth0

↓

af-packet:

- interface: ens33 ←各自のインターフェース名に変更

SURICATAはルールのライブリロードをサポートしており、実行中のSURICATAのプロセスを再起動することなく、ルールの追加、削除、編集を行うことができます。ライブリロードオプションを有効にするには、設定ファイルの一番下までスクロールし、以下の行を追加します

detect-engine:
- rule-reload: true

この設定により、実行中のプロセスにSIGUSR2システムシグナルを送ることができ、SURICATAは変更されたルールをメモリに再ロードします。以下のようなコマンドは、プロセスを再起動することなく、SURICATAプロセスにルールセットの再読み込みを通知します：

# kill -usr2 $(pidof suricata)

1	# kill -usr2 $(pidof suricata)

➁ルールセットを追加
Suricata には suricata-update というツールがあり、外部プロバイダーからルールセットを取得することができます。以下のように実行すると、SURICATAサーバーの最新のルールセットをダウンロードできます

# suricata-update -o /etc/suricata/rules

30/7/2025 -- 13:39:55 - <Info> -- Using data-directory /var/lib/suricata.
30/7/2025 -- 13:39:55 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
30/7/2025 -- 13:39:55 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
30/7/2025 -- 13:39:55 - <Info> -- Found Suricata version 6.0.10 at /usr/bin/suricata.
30/7/2025 -- 13:39:55 - <Info> -- Loading /etc/suricata/suricata.yaml
30/7/2025 -- 13:39:55 - <Info> -- Disabling rules for protocol http2
30/7/2025 -- 13:39:55 - <Info> -- Disabling rules for protocol modbus
30/7/2025 -- 13:39:55 - <Info> -- Disabling rules for protocol dnp3
30/7/2025 -- 13:39:55 - <Info> -- Disabling rules for protocol enip
30/7/2025 -- 13:39:55 - <Info> -- No sources configured, will use Emerging Threats Open
30/7/2025 -- 13:39:55 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.10/emerging.rules.tar.gz.
 100% - 5021628/5021628
30/7/2025 -- 13:39:58 - <Info> -- Done.
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
30/7/2025 -- 13:39:58 - <Info> -- Ignoring file rules/emerging-deleted.rules
30/7/2025 -- 13:40:00 - <Info> -- Loaded 60142 rules.
30/7/2025 -- 13:40:00 - <Info> -- Disabled 14 rules.
30/7/2025 -- 13:40:00 - <Info> -- Enabled 0 rules.
30/7/2025 -- 13:40:00 - <Info> -- Modified 0 rules.
30/7/2025 -- 13:40:00 - <Info> -- Dropped 0 rules.
30/7/2025 -- 13:40:00 - <Info> -- Enabled 136 rules for flowbit dependencies.
30/7/2025 -- 13:40:00 - <Info> -- Backing up current rules.
30/7/2025 -- 13:40:00 - <Info> -- Writing rules to /etc/suricata/rules/suricata.rules: total: 60142; enabled: 44537; added: 60142; removed 0; modified: 0
30/7/2025 -- 13:40:01 - <Info> -- Writing /etc/suricata/rules/classification.config
30/7/2025 -- 13:40:01 - <Info> -- Testing with suricata -T.
30/7/2025 -- 13:40:25 - <Info> -- Done.

# suricata-update -o /etc/suricata/rules

30/7/2025 -- 13:39:55 - <Info> -- Using data-directory /var/lib/suricata.

30/7/2025 -- 13:39:55 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml

30/7/2025 -- 13:39:55 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.

30/7/2025 -- 13:39:55 - <Info> -- Found Suricata version 6.0.10 at /usr/bin/suricata.

30/7/2025 -- 13:39:55 - <Info> -- Loading /etc/suricata/suricata.yaml

30/7/2025 -- 13:39:55 - <Info> -- Disabling rules for protocol http2

30/7/2025 -- 13:39:55 - <Info> -- Disabling rules for protocol modbus

30/7/2025 -- 13:39:55 - <Info> -- Disabling rules for protocol dnp3

30/7/2025 -- 13:39:55 - <Info> -- Disabling rules for protocol enip

30/7/2025 -- 13:39:55 - <Info> -- No sources configured, will use Emerging Threats Open

30/7/2025 -- 13:39:55 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.10/emerging.rules.tar.gz.

100% - 5021628/5021628

30/7/2025 -- 13:39:58 - <Info> -- Done.

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules

30/7/2025 -- 13:39:58 - <Info> -- Ignoring file rules/emerging-deleted.rules

30/7/2025 -- 13:40:00 - <Info> -- Loaded 60142 rules.

30/7/2025 -- 13:40:00 - <Info> -- Disabled 14 rules.

30/7/2025 -- 13:40:00 - <Info> -- Enabled 0 rules.

30/7/2025 -- 13:40:00 - <Info> -- Modified 0 rules.

30/7/2025 -- 13:40:00 - <Info> -- Dropped 0 rules.

30/7/2025 -- 13:40:00 - <Info> -- Enabled 136 rules for flowbit dependencies.

30/7/2025 -- 13:40:00 - <Info> -- Backing up current rules.

30/7/2025 -- 13:40:00 - <Info> -- Writing rules to /etc/suricata/rules/suricata.rules: total: 60142; enabled: 44537; added: 60142; removed 0; modified: 0

30/7/2025 -- 13:40:01 - <Info> -- Writing /etc/suricata/rules/classification.config

30/7/2025 -- 13:40:01 - <Info> -- Testing with suricata -T.

30/7/2025 -- 13:40:25 - <Info> -- Done.

suricata-updateが無料のEmerging Threats ET Open Rulesを取得し、Suricataの/etc/suricata/rules/suricata.rulesファイルに保存したことを示しています。また、処理されたルールの数を示し、この例では60142が追加され、そのうち44537が有効になりました。

➂ルール・セット・プロバイダーの追加
既定のプロバイダーリストを一覧表示

# suricata-update list-sources

Name: et/open
  Vendor: Proofpoint
  Summary: Emerging Threats Open Ruleset
  License: MIT
Name: et/pro
  Vendor: Proofpoint
  Summary: Emerging Threats Pro Ruleset
  License: Commercial
  Replaces: et/open
  Parameters: secret-code
  Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
Name: oisf/trafficid
  Vendor: OISF
  Summary: Suricata Traffic ID ruleset
  License: MIT
Name: scwx/enhanced
  Vendor: Secureworks
  Summary: Secureworks suricata-enhanced ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/malware
  Vendor: Secureworks
  Summary: Secureworks suricata-malware ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/security
  Vendor: Secureworks
  Summary: Secureworks suricata-security ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: abuse.ch/sslbl-blacklist
  Vendor: Abuse.ch
  Summary: Abuse.ch SSL Blacklist
  License: CC0-1.0
  Replaces: sslbl/ssl-fp-blacklist
Name: abuse.ch/sslbl-ja3
  Vendor: Abuse.ch
  Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
  License: CC0-1.0
  Replaces: sslbl/ja3-fingerprints
Name: abuse.ch/feodotracker
  Vendor: Abuse.ch
  Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset
  License: CC0-1.0
Name: abuse.ch/urlhaus
  Vendor: abuse.ch
  Summary: Abuse.ch URLhaus Suricata Rules
  License: CC0-1.0
Name: etnetera/aggressive
  Vendor: Etnetera a.s.
  Summary: Etnetera aggressive IP blacklist
  License: MIT
Name: tgreen/hunting
  Vendor: tgreen
  Summary: Threat hunting rules
  License: GPLv3
Name: stamus/lateral
  Vendor: Stamus Networks
  Summary: Lateral movement rules
  License: GPL-3.0-only
Name: stamus/nrd-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, complete
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, complete
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-entropy-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, high entropy
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-entropy-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, high entropy
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-phishing-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, phishing
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-phishing-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, phishing
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: pawpatrules
  Vendor: pawpatrules
  Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine
  License: CC-BY-SA-4.0
Name: ptrules/open
  Vendor: Positive Technologies
  Summary: Positive Technologies Open Ruleset
  License: Custom
Name: aleksibovellan/nmap
  Vendor: aleksibovellan
  Summary: Suricata IDS/IPS Detection Rules Against NMAP Scans
  License: MIT

100

101

102

103

104

105

106

107

108

109

110

111

112

113

# suricata-update list-sources

Name: et/open

Vendor: Proofpoint

Summary: Emerging Threats Open Ruleset

License: MIT

Name: et/pro

Vendor: Proofpoint

Summary: Emerging Threats Pro Ruleset

License: Commercial

Replaces: et/open

Parameters: secret-code

Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset

Name: oisf/trafficid

Vendor: OISF

Summary: Suricata Traffic ID ruleset

License: MIT

Name: scwx/enhanced

Vendor: Secureworks

Summary: Secureworks suricata-enhanced ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: scwx/malware

Vendor: Secureworks

Summary: Secureworks suricata-malware ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: scwx/security

Vendor: Secureworks

Summary: Secureworks suricata-security ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: abuse.ch/sslbl-blacklist

Vendor: Abuse.ch

Summary: Abuse.ch SSL Blacklist

License: CC0-1.0

Replaces: sslbl/ssl-fp-blacklist

Name: abuse.ch/sslbl-ja3

Vendor: Abuse.ch

Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset

License: CC0-1.0

Replaces: sslbl/ja3-fingerprints

Name: abuse.ch/feodotracker

Vendor: Abuse.ch

Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset

License: CC0-1.0

Name: abuse.ch/urlhaus

Vendor: abuse.ch

Summary: Abuse.ch URLhaus Suricata Rules

License: CC0-1.0

Name: etnetera/aggressive

Vendor: Etnetera a.s.

Summary: Etnetera aggressive IP blacklist

License: MIT

Name: tgreen/hunting

Vendor: tgreen

Summary: Threat hunting rules

License: GPLv3

Name: stamus/lateral

Vendor: Stamus Networks

Summary: Lateral movement rules

License: GPL-3.0-only

Name: stamus/nrd-30-open

Vendor: Stamus Networks

Summary: Newly Registered Domains Open only - 30 day list, complete

License: Commercial

Parameters: secret-code