Contents
Prerequisite.
We will install Suricata IDS and ElasticStack anad Kibana on the following servers
・1st server Suricata IDS & Filebeat : Debian12.11 IP address (192.168.11.83)
・2nd server ElasticStack & kibana : Ubunru24.04 IP address(192.168.11.85)
Run as a sudo user other than root
1st server Suricata Install
SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic. Its basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.
1.Suricata
①Install required packages
|
1 |
# apt -y install wget curl software-properties-common dirmngr apt-transport-https gnupg2 ca-certificates lsb-release debian-archive-keyring unzip |
➁Suricata install
|
1 2 |
# apt update # apt -y install suricata |
Check Version
|
1 2 |
# suricata -V This is Suricata version 6.0.10 RELEASE |
Enable suricata.service to run on system reboot
|
1 2 3 4 |
# systemctl enable suricata.service Synchronizing state of suricata.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable suricata |
Stop the Suricata service as it needs to be configured first.
|
1 |
# systemctl stop suricata.service |
2.Configure Suricata
①Determine interface and IP address where Suricata will inspect network packets
|
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ::1/128 ens33 UP 192.168.11.83/24 fe80::20c:29ff:febf:c38f/64 |
Edit /etc/suricata/suricata.yaml file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# vi /etc/suricata/suricata.yaml # Line 18 : Change (own network) HOME_NET: "[192.168.11.0/24]" # Line 132 : Change community-id: false → community-id: true # Line 589 : Change af-packet: - interface: eth0 ↓ af-packet: - interface: ens33 ←Change to your own interface name |
SURICATA supports live reloading of rules, allowing you to add, delete, or edit rules without restarting the running SURICATA process. To enable the live reload option, scroll to the bottom of the configuration file and add the following line
detect-engine:
- rule-reload: true
This setting allows the SIGUSR2 system signal to be sent to a running process, and SURICATA will reload the modified rules into memory. A command such as the following will signal the SURICATA process to reload the rule set without restarting the process:
|
1 |
# kill -usr2 $(pidof suricata) |
➁Add rule set
Suricata has a tool called suricata-update that allows you to retrieve rulesets from external providers. You can download the latest rulesets for your suricata server by running
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
# suricata-update -o /etc/suricata/rules 30/7/2025 -- 13:39:55 - <Info> -- Using data-directory /var/lib/suricata. 30/7/2025 -- 13:39:55 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 30/7/2025 -- 13:39:55 - <Info> -- Using /etc/suricata/rules for Suricata provided rules. 30/7/2025 -- 13:39:55 - <Info> -- Found Suricata version 6.0.10 at /usr/bin/suricata. 30/7/2025 -- 13:39:55 - <Info> -- Loading /etc/suricata/suricata.yaml 30/7/2025 -- 13:39:55 - <Info> -- Disabling rules for protocol http2 30/7/2025 -- 13:39:55 - <Info> -- Disabling rules for protocol modbus 30/7/2025 -- 13:39:55 - <Info> -- Disabling rules for protocol dnp3 30/7/2025 -- 13:39:55 - <Info> -- Disabling rules for protocol enip 30/7/2025 -- 13:39:55 - <Info> -- No sources configured, will use Emerging Threats Open 30/7/2025 -- 13:39:55 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.10/emerging.rules.tar.gz. 100% - 5021628/5021628 30/7/2025 -- 13:39:58 - <Info> -- Done. 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules 30/7/2025 -- 13:39:58 - <Info> -- Ignoring file rules/emerging-deleted.rules 30/7/2025 -- 13:40:00 - <Info> -- Loaded 60142 rules. 30/7/2025 -- 13:40:00 - <Info> -- Disabled 14 rules. 30/7/2025 -- 13:40:00 - <Info> -- Enabled 0 rules. 30/7/2025 -- 13:40:00 - <Info> -- Modified 0 rules. 30/7/2025 -- 13:40:00 - <Info> -- Dropped 0 rules. 30/7/2025 -- 13:40:00 - <Info> -- Enabled 136 rules for flowbit dependencies. 30/7/2025 -- 13:40:00 - <Info> -- Backing up current rules. 30/7/2025 -- 13:40:00 - <Info> -- Writing rules to /etc/suricata/rules/suricata.rules: total: 60142; enabled: 44537; added: 60142; removed 0; modified: 0 30/7/2025 -- 13:40:01 - <Info> -- Writing /etc/suricata/rules/classification.config 30/7/2025 -- 13:40:01 - <Info> -- Testing with suricata -T. 30/7/2025 -- 13:40:25 - <Info> -- Done. |
It shows that suricata-update has retrieved the free Emerging Threats ET Open Rules and saved them in Suricata's /etc/suricata/rules/suricata.rules file. It also shows the number of rules processed, in this example 60142 were added, of which 44537 were activated.
➂Adding Rule Set Providers
List Default Providers
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 |
# suricata-update list-sources Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: abuse.ch/sslbl-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: CC0-1.0 Replaces: sslbl/ssl-fp-blacklist Name: abuse.ch/sslbl-ja3 Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: CC0-1.0 Replaces: sslbl/ja3-fingerprints Name: abuse.ch/feodotracker Vendor: Abuse.ch Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset License: CC0-1.0 Name: abuse.ch/urlhaus Vendor: abuse.ch Summary: Abuse.ch URLhaus Suricata Rules License: CC0-1.0 Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only Name: stamus/nrd-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, complete License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, complete License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-entropy-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, high entropy License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-entropy-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, high entropy License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-phishing-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, phishing License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-phishing-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, phishing License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: pawpatrules Vendor: pawpatrules Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine License: CC-BY-SA-4.0 Name: ptrules/open Vendor: Positive Technologies Summary: Positive Technologies Open Ruleset License: Custom Name: aleksibovellan/nmap Vendor: aleksibovellan Summary: Suricata IDS/IPS Detection Rules Against NMAP Scans License: MIT |
If you include the tgreen/hunting ruleset as an example
|
1 2 3 4 5 6 7 8 9 10 |
# suricata-update enable-source tgreen/hunting -D /etc/suricata/rules 30/7/2025 -- 13:44:55 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 30/7/2025 -- 13:44:55 - <Info> -- Using /etc/suricata/rules for Suricata provided rules. 30/7/2025 -- 13:44:55 - <Info> -- Found Suricata version 6.0.10 at /usr/bin/suricata. 30/7/2025 -- 13:44:55 - <Warning> -- Source index does not exist, will use bundled one. 30/7/2025 -- 13:44:55 - <Warning> -- Please run suricata-update update-sources. 30/7/2025 -- 13:44:55 - <Info> -- Creating directory /etc/suricata/rules/update/sources 30/7/2025 -- 13:44:55 - <Info> -- Enabling default source et/open 30/7/2025 -- 13:44:55 - <Info> -- Source tgreen/hunting enabled |
Perform update
|
1 |
# suricata-update -o /etc/suricata/rules |
3.Suricata Configuration Testing
①Run Verification Tool
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# suricata -T -c /etc/suricata/suricata.yaml -v 30/7/2025 -- 13:47:21 - <Info> - Running suricata under test mode 30/7/2025 -- 13:47:21 - <Notice> - This is Suricata version 6.0.10 RELEASE running in SYSTEM mode 30/7/2025 -- 13:47:21 - <Info> - CPUs/cores online: 2 30/7/2025 -- 13:47:21 - <Info> - fast output device (regular) initialized: fast.log 30/7/2025 -- 13:47:21 - <Info> - eve-log output device (regular) initialized: eve.json 30/7/2025 -- 13:47:21 - <Info> - stats output device (regular) initialized: stats.log 30/7/2025 -- 13:47:35 - <Info> - 1 rule files processed. 44537 rules successfully loaded, 0 rules failed 30/7/2025 -- 13:47:35 - <Info> - Threshold config parsed: 0 rule(s) found 30/7/2025 -- 13:47:36 - <Info> - 44540 signatures processed. 950 are IP-only rules, 5114 are inspecting packet payload, 38267 inspect application layer, 108 are decoder event only 30/7/2025 -- 13:47:44 - <Notice> - Configuration provided was successfully loaded. Exiting. 30/7/2025 -- 13:47:44 - <Info> - cleaning up signature grouping structure... complete |
Suricata service restart
|
1 |
# systemctl start suricata |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# systemctl status suricata ● suricata.service - Suricata IDS/IDP daemon Loaded: loaded (/lib/systemd/system/suricata.service; enabled; preset: enabled) Active: active (running) since Wed 2025-07-30 13:49:35 JST; 18s ago Docs: man:suricata(8) man:suricatasc(8) https://suricata-ids.org/docs/ Process: 30347 ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid (code=exited, status=0/SUCCESS) Main PID: 30348 (Suricata-Main) Tasks: 1 (limit: 4596) Memory: 551.5M CPU: 18.155s CGroup: /system.slice/suricata.service mq30348 /usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid Jul 30 13:49:35 Lepard systemd[1]: Starting suricata.service - Suricata IDS/IDP daemon... Jul 30 13:49:35 Lepard suricata[30347]: 30/7/2025 -- 13:49:35 - <Notice> - This is Suricata version 6.0.10 RELEASE running in SYSTEM mode Jul 30 13:49:35 Lepard systemd[1]: Started suricata.service - Suricata IDS/IDP daemon. |
Check log files
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# tail -f /var/log/suricata/suricata.log 30/7/2025 -- 13:49:35 - <Info> - fast output device (regular) initialized: fast.log 30/7/2025 -- 13:49:35 - <Info> - eve-log output device (regular) initialized: eve.json 30/7/2025 -- 13:49:35 - <Info> - stats output device (regular) initialized: stats.log 30/7/2025 -- 13:49:50 - <Info> - 1 rule files processed. 44537 rules successfully loaded, 0 rules failed 30/7/2025 -- 13:49:50 - <Info> - Threshold config parsed: 0 rule(s) found 30/7/2025 -- 13:49:51 - <Info> - 44540 signatures processed. 950 are IP-only rules, 5114 are inspecting packet payload, 38267 inspect application layer, 108 are decoder event only 30/7/2025 -- 13:49:59 - <Info> - Going to use 2 thread(s) 30/7/2025 -- 13:49:59 - <Info> - Using unix socket file '/var/run/suricata-command.socket' 30/7/2025 -- 13:49:59 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started. 30/7/2025 -- 13:49:59 - <Info> - All AFP capture threads are running. |
4.Testing the Suricata Rule
①Test ET Open rule number 2100498 using the following command
|
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
②Check the log file using the specified rule number
|
1 2 3 |
# grep 2100498 /var/log/suricata/fast.log 07/30/2025-13:53:11.590916 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 143.204.80.116:80 -> 192.168.11.83:44308 |
③Check events in /var/log/suricata/eve.log
Install jq
|
1 |
# apt -y install jq |
Filter EVE Log events by searching for 2100498 signatures
Display alert objects with signature_id keys that match the values in 2100498
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
# jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json { "timestamp": "2025-07-30T13:53:11.590916+0900", "flow_id": 1609820938928638, "in_iface": "ens33", "event_type": "alert", "src_ip": "143.204.80.116", "src_port": 80, "dest_ip": "192.168.11.83", "dest_port": 44308, "proto": "TCP", "community_id": "1:P62T4igNs+AV6oq8pWG8wGm14NE=", "alert": { "action": "allowed", "gid": 1, "signature_id": 2100498, "rev": 7, "signature": "GPL ATTACK_RESPONSE id check returned root", "category": "Potentially Bad Traffic", "severity": 2, "metadata": { "confidence": [ "Medium" ], --------------- --------------- |
④Creating and Applying Custom Rules
Create the following custom signature to scan SSH traffic to non-SSH ports and include it in the file /etc/suricata/rules/local.rules (IPv4 only this time)
|
1 2 |
# vi /etc/suricata/rules/local.rules alert ssh any any -> 192.168.11.83 !2244 (msg:"SSH TRAFFIC on non-SSH port"; flow:to_client, not_established; classtype: misc-attack; target: dest_ip; sid:1000000;) |
Editing suricata.yaml
|
1 2 3 4 5 6 |
# vi /etc/suricata/suricata.yaml Add local.rules at line 1923 rule-files: - suricata.rules - local.rules |
Verify SURICATA settings
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# suricata -T -c /etc/suricata/suricata.yaml -v 30/7/2025 -- 14:07:08 - <Info> - Running suricata under test mode 30/7/2025 -- 14:07:08 - <Notice> - This is Suricata version 6.0.10 RELEASE running in SYSTEM mode 30/7/2025 -- 14:07:08 - <Info> - CPUs/cores online: 2 30/7/2025 -- 14:07:09 - <Info> - fast output device (regular) initialized: fast.log 30/7/2025 -- 14:07:09 - <Info> - eve-log output device (regular) initialized: eve.json 30/7/2025 -- 14:07:09 - <Info> - stats output device (regular) initialized: stats.log 30/7/2025 -- 14:07:23 - <Info> - 2 rule files processed. 44538 rules successfully loaded, 0 rules failed 30/7/2025 -- 14:07:23 - <Info> - Threshold config parsed: 0 rule(s) found 30/7/2025 -- 14:07:24 - <Info> - 44541 signatures processed. 950 are IP-only rules, 5114 are inspecting packet payload, 38268 inspect application layer, 108 are decoder event only 30/7/2025 -- 14:07:33 - <Notice> - Configuration provided was successfully loaded. Exiting. 30/7/2025 -- 14:07:33 - <Info> - cleaning up signature grouping structure... complete |
Edit the custom signature you just created and convert it to use the drop action.
|
1 2 3 |
# vi /etc/suricata/rules/local.rules drop ssh any any -> 192.168.11.83 !2244 (msg:"SSH TRAFFIC on non-SSH port"; flow:to_client, not_established; classtype: misc-attack; target: dest_ip; sid:1000000;) |
⑤Reconfigure SURICATA and reboot in IPS mode
SURICATA operates in IDS mode by default and does not actively block network traffic; to switch to IPS mode, SURICATA's default settings must be changed.
Create a new systemd override file using the systemctl edit command:
|
1 |
# systemctl edit suricata.service |
Add the following section in red at the beginning
###Editing /etc/systemd/system/suricata.service.d/override.conf
###Anything between here and the comment below will become the new contents of the file
[Service]
ExecStart=
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -q 0 -vvv
Type=simple
###Lines below this comment will be discarded
Reload systemd to detect new Suricata settings
|
1 2 |
# systemctl daemon-reload # systemctl restart suricata.service |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# systemctl status suricata.service ● suricata.service - Suricata IDS/IDP daemon Loaded: loaded (/lib/systemd/system/suricata.service; enabled; preset: enabled) Drop-In: /etc/systemd/system/suricata.service.d mqoverride.conf Active: active (running) since Wed 2025-07-30 14:20:54 JST; 11s ago Docs: man:suricata(8) man:suricatasc(8) https://suricata-ids.org/docs/ Main PID: 30639 (Suricata-Main) Tasks: 1 (limit: 4596) Memory: 299.2M CPU: 11.337s CGroup: /system.slice/suricata.service mq30639 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -q 0 -vvv Jul 30 14:20:54 Lepard suricata[30639]: 30/7/2025 -- 14:20:54 - <Perf> - using shared mpm ctx' for mqtt.subscribe.topic Jul 30 14:20:54 Lepard suricata[30639]: 30/7/2025 -- 14:20:54 - <Perf> - using shared mpm ctx' for mqtt.unsubscribe.topic Jul 30 14:20:54 Lepard suricata[30639]: 30/7/2025 -- 14:20:54 - <Perf> - using shared mpm ctx' for icmpv4.hdr Jul 30 14:20:54 Lepard suricata[30639]: 30/7/2025 -- 14:20:54 - <Perf> - using shared mpm ctx' for tcp.hdr Jul 30 14:20:54 Lepard suricata[30639]: 30/7/2025 -- 14:20:54 - <Perf> - using shared mpm ctx' for udp.hdr Jul 30 14:20:54 Lepard suricata[30639]: 30/7/2025 -- 14:20:54 - <Perf> - using shared mpm ctx' for icmpv6.hdr Jul 30 14:20:54 Lepard suricata[30639]: 30/7/2025 -- 14:20:54 - <Perf> - using shared mpm ctx' for ipv4.hdr Jul 30 14:20:54 Lepard suricata[30639]: 30/7/2025 -- 14:20:54 - <Perf> - using shared mpm ctx' for ipv6.hdr |
With this change, we are ready to send traffic to Suricata through the UFW firewall.
⑥Configure UFW to send traffic to Suricata
To add the rules needed for Suricata to UFW, you must directly edit the firewall files in /etc/ufw/before.rules and /etc/ufw/before6.rules.
|
1 |
# vi /etc/ufw/before.rules |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# # rules.before # # Rules that should be run before the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw-before-input # ufw-before-output # ufw-before-forward # # Don't delete these required lines, otherwise there will be errors *filter :ufw-before-input - [0:0] :ufw-before-output - [0:0] :ufw-before-forward - [0:0] :ufw-not-local - [0:0] # End required lines #Add 7 lines to the bottom of the page. ## Start Suricata NFQUEUE rules -I INPUT 1 -p tcp --dport 2244 -j NFQUEUE --queue-bypass -I OUTPUT 1 -p tcp --sport 2244 -j NFQUEUE --queue-bypass -I FORWARD -j NFQUEUE -I INPUT 2 -j NFQUEUE -I OUTPUT 2 -j NFQUEUE ## End Suricata NFQUEUE rules # allow all on loopback |
Similarly, change /etc/ufw/before6.rules
Restart UFW
|
1 |
# systemctl restart ufw.service |
Ensure that packets matching the aforementioned signature sid:2100498 are dropped
|
1 2 3 4 5 |
# vi /etc/suricata/rules/suricata.rules Find line matching sid:2100498 and change alert to drop drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2019_07_26;) |
Reload signatures
|
1 |
# kill -usr2 $(pidof suricata) |
Test this rule using curl
|
1 2 |
# curl --max-time 5 http://testmynids.org/uid/index.html curl: (28) Operation timed out after 5000 milliseconds with 0 out of 39 bytes received |
Checking eve.log using jq, "action" is set to "blocked
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
# jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json { "timestamp": "2025-07-30T14:40:29.854578+0900", "flow_id": 872212031463488, "event_type": "alert", "src_ip": "143.204.80.33", "src_port": 80, "dest_ip": "192.168.11.83", "dest_port": 45978, "proto": "TCP", "community_id": "1:JhqSuutG6ePya6eSgqY0Ld4Z6dE=", "alert": { "action": "blocked", "gid": 1, "signature_id": 2100498, "rev": 7, "signature": "GPL ATTACK_RESPONSE id check returned root", "category": "Potentially Bad Traffic", "severity": 2, "metadata": { "confidence": [ "Medium" ], "created_at": [ "2010_09_23" ], "signature_severity": [ "Informational" ], "updated_at": [ "2019_07_26" ] } }, "http": { "hostname": "testmynids.org", "url": "/uid/index.html", "http_user_agent": "curl/7.88.1", "http_content_type": "text/html", "http_method": "GET", "protocol": "HTTP/1.1", "status": 200, "length": 39 }, "files": [ { "filename": "/uid/index.html", "sid": [], "gaps": false, "state": "CLOSED", "stored": false, "size": 39, "tx_id": 0 } ], "app_proto": "http", "flow": { "pkts_toserver": 3, "pkts_toclient": 4, "bytes_toserver": 256, "bytes_toclient": 754, "start": "2025-07-30T14:40:29.843840+0900" } } |
Elastic stack 9.x Install
Install & configure Elastic Stack to visualize & search SURICATA logs
This section is basically done on a second Ubuntu24.04 server
①Install Elastic stack 9.x repository signing key
|
1 |
# apt update |
|
1 |
# apt install gnupg2 -y |
|
1 2 |
# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | \ gpg --dearmor -o /etc/apt/trusted.gpg.d/elastic.gpg |
➁Install Elastic Stack 9.x repository
|
1 |
# echo "deb https://artifacts.elastic.co/packages/9.x/apt stable main" > /etc/apt/sources.list.d/elastic-9.x.list |
update
|
1 |
# apt update |
➂Installing Elasticsearch 9.x on Ubuntu 24.04
|
1 |
# apt install elasticsearch -y |
During installation, security features are enabled by default;
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
--------------------------------------------------------------------------------------- Preparing to unpack .../elasticsearch_9.1.0_amd64.deb ... Creating elasticsearch group... OK Creating elasticsearch user... OK Unpacking elasticsearch (9.1.0) ... Setting up elasticsearch (9.1.0) ... --------------------------- Security autoconfiguration information ------------------------------ Authentication and authorization are enabled. TLS for the transport and HTTP layers is enabled and configured. The generated password for the elastic built-in superuser is : eLytG+3AZwbOY-4zM+u1 If this node should join an existing cluster, you can reconfigure this with '/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>' after creating an enrollment token on your existing cluster. You can complete the following actions at any time: Reset the password of the elastic built-in superuser with '/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'. Generate an enrollment token for Kibana instances with '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'. Generate an enrollment token for Elasticsearch nodes with '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'. ------------------------------------------------------------------------------------------------- ### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable elasticsearch.service ### You can start elasticsearch service by executing sudo systemctl start elasticsearch.service Scanning processes... Scanning candidates... Scanning linux images... Running kernel seems to be up-to-date. Restarting services... Service restarts being deferred: /etc/needrestart/restart.d/dbus.service systemctl restart getty@tty1.service systemctl restart systemd-logind.service systemctl restart unattended-upgrades.service |
Certifications and authorizations are in effect.
TLS at the transport and HTTP layers is enabled and configured.
An Elastic super user account (elastic) and its password will be created.
④Configuring Elasticsearch 9.x on Ubuntu
Since this is a basic single-node cluster, we will use the default settings.
Check the Elasticsearch configuration file /etc/elasticsearch/elasticsearch.yml and you will see that the security settings are enabled
|
1 |
# cat /etc/elasticsearch/elasticsearch.yml |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
#----------------------- BEGIN SECURITY AUTO CONFIGURATION ----------------------- # # The following settings, TLS certificates, and keys have been automatically # generated to configure Elasticsearch security features on 31-07-2025 06:27:58 # # -------------------------------------------------------------------------------- # Enable security features xpack.security.enabled: true xpack.security.enrollment.enabled: true # Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents xpack.security.http.ssl: enabled: true keystore.path: certs/http.p12 # Enable encryption and mutual authentication between cluster nodes xpack.security.transport.ssl: enabled: true verification_mode: certificate keystore.path: certs/transport.p12 truststore.path: certs/transport.p12 # Create a new cluster with the current node only # Additional nodes can still join the cluster later cluster.initial_master_nodes: ["Lion"] # Allow HTTP API connections from anywhere # Connections are encrypted and require user authentication http.host: 0.0.0.0 # Allow other nodes to join the cluster from anywhere # Connections are encrypted and mutually authenticated #transport.host: 0.0.0.0 #----------------------- END SECURITY AUTO CONFIGURATION ------------------------- |
⑤Start Elasticsearch
Start Elasticsearch and allow it to run at system startup
|
1 |
# systemctl daemon-reload |
|
1 2 |
# systemctl enable --now elasticsearch # systemctl start elasticsearch |
Check Status
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# systemctl status elasticsearch ● elasticsearch.service - Elasticsearch Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; pr> Active: active (running) since Thu 2025-07-31 15:36:23 JST; 21s ago Docs: https://www.elastic.co Main PID: 34070 (java) Tasks: 103 (limit: 4547) Memory: 2.3G (peak: 2.3G) CPU: 50.980s CGroup: /system.slice/elasticsearch.service tq34070 /usr/share/elasticsearch/jdk/bin/java -Xms4m -Xmx64m -XX:+> tq34131 /usr/share/elasticsearch/jdk/bin/java -Des.networkaddress.> mq34151 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-> Jul 31 15:35:47 Lion systemd[1]: Starting elasticsearch.service - Elasticsearch> Jul 31 15:36:23 Lion systemd[1]: Started elasticsearch.service - Elasticsearch. |
You can also check the status of the ES using the curl command; replace IP as appropriate
|
1 |
# curl https://192.168.11.85:9200 --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic |
When prompted, enter the Elasticsearch password generated during the Elasticsearch installation
The output will look like this
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
{ "name" : "Lion", "cluster_name" : "elasticsearch", "cluster_uuid" : "BVob3WArQtWJmgTFhtaPXQ", "version" : { "number" : "9.1.0", "build_flavor" : "default", "build_type" : "deb", "build_hash" : "00e7d33bf08f1476229d9d1642e2da46cfebdd53", "build_date" : "2025-07-23T22:09:53.891289976Z", "build_snapshot" : false, "lucene_version" : "10.2.2", "minimum_wire_compatibility_version" : "8.19.0", "minimum_index_compatibility_version" : "8.0.0" }, "tagline" : "You Know, for Search" } |
Also, make sure that both the HTTP and transport ports are open;
|
1 2 3 |
# ss -altnp | grep -E "9200|9300" LISTEN 0 4096 0.0.0.0:9200 0.0.0.0:* users:(("java",pid=34131,fd=580)) LISTEN 0 4096 127.0.0.1:9300 0.0.0.0:* users:(("java",pid=34131,fd=578)) |
⑥Reset Elasticsearch Password
The auto-generated Elastic user password is too complex, reset it using the command /usr/share/elasticsearch/bin/elasticsearch-reset-password
To reset the password, run the command
|
1 |
# /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -i |
|
1 2 3 4 5 6 7 8 |
This tool will reset the password of the [elastic] user. You will be prompted to enter the password. Please confirm that you would like to continue [y/N]y Enter password for [elastic]: Re-enter password for [elastic]: Password for the [elastic] user successfully reset. |
⑦Elasticsearch Logs
Elasticsearch writes logs to the /var/log/elasticsearch path; the log you need to check if there is a problem with your Elasticsearch instance is /var/log/elasticsearch/CLUSTER_NAME.log The logs you need to check if there is a problem with your Elasticsearch instance are
CLUSTER_NAME is the value of the cluster.name option in the elasticsearch.yaml file. If this value is not changed, the default is elasticsearch and the log file is /var/log/elasticsearch/elasticsearch.log.
|
1 |
# tail -f /var/log/elasticsearch/elasticsearch.log |
log
|
1 2 3 4 5 6 7 8 9 10 |
[2025-07-31T06:36:28,331][INFO ][o.e.x.i.IndexLifecycleTransition] [Lion] moving index [.ds-.logs-elasticsearch.deprecation-default-2025.07.31-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.deprecation-indexing-ilm-policy] [2025-07-31T06:36:28,360][INFO ][o.e.x.i.IndexLifecycleTransition] [Lion] moving index [.ds-.logs-elasticsearch.deprecation-default-2025.07.31-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.deprecation-indexing-ilm-policy] [2025-07-31T06:36:33,252][INFO ][o.e.c.m.MetadataCreateIndexService] [Lion] creating index [.ds-ilm-history-7-2025.07.31-000001] in project [default], cause [initialize_data_stream], templates [provided in request], shards [1]/[1] [2025-07-31T06:36:33,253][INFO ][o.e.c.m.MetadataCreateDataStreamService] [Lion] adding data stream [ilm-history-7] with write index [.ds-ilm-history-7-2025.07.31-000001], backing indices [], and aliases [] [2025-07-31T06:36:33,254][INFO ][o.e.c.r.a.AllocationService] [Lion] in project [default] updating number_of_replicas to [0] for indices [.ds-ilm-history-7-2025.07.31-000001] [2025-07-31T06:36:33,339][INFO ][o.e.c.r.a.AllocationService] [Lion] current.health="GREEN" message="Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.ds-ilm-history-7-2025.07.31-000001][0]]])." previous.health="YELLOW" reason="shards started [[.ds-ilm-history-7-2025.07.31-000001][0]]" [2025-07-31T06:52:31,735][INFO ][o.e.x.s.a.f.FileUserPasswdStore] [Lion] users file [/etc/elasticsearch/users] changed. updating users... [2025-07-31T06:52:31,744][INFO ][o.e.x.s.a.f.FileUserRolesStore] [Lion] users roles file [/etc/elasticsearch/users_roles] changed. updating users roles... [2025-07-31T06:52:51,757][INFO ][o.e.x.s.a.f.FileUserPasswdStore] [Lion] users file [/etc/elasticsearch/users] changed. updating users... [2025-07-31T06:52:51,758][INFO ][o.e.x.s.a.f.FileUserRolesStore] [Lion] users roles file [/etc/elasticsearch/users_roles] changed. updating users roles... |
Kibana 9.x Install
This section is basically done on a second Ubuntu 24.04 server
①Install
|
1 |
# apt install kibana |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: kibana 0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded. Need to get 364 MB of archives. After this operation, 1,129 MB of additional disk space will be used. Get:1 https://artifacts.elastic.co/packages/9.x/apt stable/main amd64 kibana amd64 9.1.0 [364 MB] Fetched 364 MB in 1min 22s (4,452 kB/s) Selecting previously unselected package kibana. (Reading database ... 90363 files and directories currently installed.) Preparing to unpack .../kibana_9.1.0_amd64.deb ... Unpacking kibana (9.1.0) ... Setting up kibana (9.1.0) ... Creating kibana group... OK Creating kibana user... OK Created Kibana keystore in /etc/kibana/kibana.keystore |
➁Configure Kibana 9
Kibana is configured by default to run on localhost:5601. To allow external access, edit the configuration file and replace the server.host value with the interface IP.
|
1 |
# vi /etc/kibana/kibana.yml |
Rewrite as follows
|
1 2 3 4 5 6 7 |
# Kibana is served by a back end server. This setting specifies the port to use. server.port: 5601 ... # To allow connections from remote users, set this parameter to a non-loopback address. #server.host: "localhost" server.host: "192.168.11.85" |
➂Generate Kibana-Elasticsearch Enrollment Token
To configure your Kibana instance to communicate with an existing Elasticsearch cluster with security features enabled, you need an Enrollment Token.
|
1 |
# /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana |
|
1 |
eyJ2ZXIiOiI4LjE0LjAiLCJhZHIiOlsiMTkyLjE2OC4xMS44NTo5MjAwIl0sImZnciI6IjMwYzRiYWNjMjgxZDkzMGY5NzMyMzM5N2Q1ZjUxNTYzYzQyZDk1NTdmNDNlNDIwZjkxMWFjMTgzMjFmMzUwMjciLCJrZXkiOiI1ejVPWDVnQi1hWGhacW92LTR4MDp6VzJrMGNTVW03NEpBQkxSYVduTG13In0= |
④Generate Kibana encryption keys
Kibana uses encryption keys in several areas, from encrypting data for Kibana-related indexes to storing session information. The required keys are as follows
xpack.encryptedSavedObjects.encryptionKey:Used to encrypt stored objects such as dashboards and visualizationsxpack.reporting.encryptionKey: Used to encrypt saved reportsxpack.security.encryptionKey: Used to encrypt session information
These can be generated using the command below
|
1 |
# /usr/share/kibana/bin/kibana-encryption-keys generate |
The command will give such an output
|
1 2 3 |
xpack.encryptedSavedObjects.encryptionKey: 594af0494967fbc4cbad92b9ed8a7883 xpack.reporting.encryptionKey: 57343be4c3905c605c75436fb70d81ef xpack.security.encryptionKey: 627041858c6502d64a6d7d61674b6eea |
Insert these lines into Kibana config file, kibana.yml
|
1 2 3 |
# echo -e "xpack.encryptedSavedObjects.encryptionKey: 594af0494967fbc4cbad92b9ed8a7883 xpack.reporting.encryptionKey: 57343be4c3905c605c75436fb70d81ef xpack.security.encryptionKey: 627041858c6502d64a6d7d61674b6eea" >> /etc/kibana/kibana.yml |
⑤Running Kibana
Start Kibana 9 and allow it to run at system startup.
|
1 2 |
# systemctl enable --now kibana # systemctl start kibana |
status
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# systemctl status kibana ● kibana.service - Kibana Loaded: loaded (/usr/lib/systemd/system/kibana.service; enabled; preset: enabled) Active: active (running) since Thu 2025-07-31 16:15:53 JST; 3min 18s ago Docs: https://www.elastic.co Main PID: 35139 (node) Tasks: 11 (limit: 4547) Memory: 338.0M (peak: 442.6M) CPU: 17.471s CGroup: /system.slice/kibana.service mq35139 /usr/share/kibana/bin/../node/glibc-217/bin/node /usr/share/kibana/bin/../src/cli/dist Jul 31 16:15:59 Lion kibana[35139]: Native global console methods have been overridden in production environment. Jul 31 16:16:11 Lion kibana[35139]: [2025-07-31T16:16:11.767+09:00][INFO ][root] Kibana is starting Jul 31 16:16:11 Lion kibana[35139]: [2025-07-31T16:16:11.855+09:00][INFO ][node] Kibana process configured with roles: [background_tasks, ui] Jul 31 16:16:36 Lion kibana[35139]: [2025-07-31T16:16:36.114+09:00][INFO ][plugins-service] The following plugins are disabled: "cloudChat,cloudExperiments,cloudFullStory,dataU> Jul 31 16:16:36 Lion kibana[35139]: [2025-07-31T16:16:36.237+09:00][INFO ][http.server.Preboot] http server running at http://192.168.11.85:5601 Jul 31 16:16:36 Lion kibana[35139]: [2025-07-31T16:16:36.753+09:00][INFO ][plugins-system.preboot] Setting up [1] plugins: [interactiveSetup] Jul 31 16:16:37 Lion kibana[35139]: [2025-07-31T16:16:37.117+09:00][INFO ][preboot] "interactiveSetup" plugin is holding setup: Validating Elasticsearch connection configuratio> Jul 31 16:16:37 Lion kibana[35139]: [2025-07-31T16:16:37.143+09:00][INFO ][root] Holding setup until preboot stage is completed. Jul 31 16:16:45 Lion kibana[35139]: i Kibana has not been configured. Jul 31 16:16:45 Lion kibana[35139]: Go to http://192.168.11.85:5601/?code=561945 to get started. |
The following appears at the end of the output
|
1 2 |
i Kibana has not been configured. Go to http://192.168.11.85:5601/?code=561945 to get started. |
Copy the provided Kibana URL (including code) and use it in your browser to access Kibana and complete the setup.
Similarly, Kibana logs are available in /var/log/kibana/kibana.log and /var/log/syslog.
⑥Accessing the Kibana9 Dashboard
You can now access http://192.168.11.85:5601/?code=561945
(copy the appropriate address for each person)
If UFW is running, open Kibana port
|
1 2 3 4 |
# ufw allow 5601/tcp Rule added # ufw reload Firewall reloaded |
When you access Kibana 9, the welcome page asks you to configure Elastic.
First, enter the generated registration token.
Copy the Kibana token generated using the command /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana, and paste it into the box
You can now access http://192.168.11.85:5601/?code=561945
Paste the token and Kibana will automatically connect to Elasticsearch.
Click Configure Elastic. Your settings will be saved and Elasticsearch will be configured and restarted.
Go to the login page. Log in using the generated Elastic user credentials.
On the welcome page, click "Explore on my own" to proceed to the Kibana 9.x dashboard.
Installing Filebeat 9
To collect and monitor logs from Debian12.11 using the ELK stack, Filebeat must be installed.
This work will be done on the 1st server Debian12.11 IP address (192.168.11.83).
①Install Elastic Repos
To install Filebeat 9, you must install the Elastic 9.x repository.
|
1 2 |
# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | \ gpg --dearmor > /etc/apt/trusted.gpg.d/elk.gpg |
|
1 2 |
# echo "deb https://artifacts.elastic.co/packages/9.x/apt stable main" \ > /etc/apt/sources.list.d/elastic-9.list |
update
|
1 |
# apt update |
Install Filebeat 9
|
1 |
# apt install filebeat |
➁Configuring Filebeat Logging
The default filebeat configuration file is /etc/filebeat/filebeat.yml
To make Filebeat write logs to its own log file, enter the following settings in the configuration file
|
1 2 3 4 5 6 7 8 9 |
# cat >> /etc/filebeat/filebeat.yml << 'EOL' logging.level: info logging.to_files: true logging.files: path: /var/log/filebeat name: filebeat keepfiles: 7 permissions: 0640 EOL |
➂Connecting Filebeat to the data processing system
Configure Filebeat to connect to a data processing system. In this case, it is Elasticsearch.
To send logs directly to Elasticsearch, edit the Filebeat configuration file and update the Output Settings section.
Connecting to Elasticsearch 9 requires SSL and authentication.
Make sure you can connect to Elasticsearch port 9200/tcp
|
1 2 3 4 5 |
# telnet 192.168.11.85 9200 Trying 192.168.11.85... Connected to 192.168.11.85. Escape character is '^]'. |
④Elasticsearch CA certificate creation
Download the Elasticsearch CA certificate and save it in a directory of your choice (this time as /etc/filebeat/elastic-ca.crt)
|
1 2 3 |
# openssl s_client -connect 192.168.11.85:9200 \ -showcerts </dev/null 2>/dev/null | \ openssl x509 -outform PEM > /etc/filebeat/elastic-ca.crt |
Get the credentials that Filebeat uses to authenticate to Elasticsearch. In this case, we will use the default superadmin and Elastic user credentials.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# vi /etc/filebeat/filebeat.yml Per line 127 Change Kibana section as follows #host: "localhost:5601" host: "192.168.11.85:5601" Change the Elasticsearch Output section per line 161 as follows output.elasticsearch: # Array of hosts to connect to. #hosts: ["localhost:9200"] hosts: ["192.168.11.85:9200"] # Performance preset - one of "balanced", "throughput", "scale", # "latency", or "custom". preset: balanced # Protocol - either `http` (default) or `https`. protocol: "https" ssl.certificate_authorities: ["/etc/filebeat/elastic-ca.crt"] # Authentication credentials - either API key or username/password. #api_key: "id:api_key" username: "elastic" password: "Password" ←Password for elastic created on the second server |
⑤Configuration File Test
|
1 2 |
# filebeat test config Config OK |
⑥Test Filebeat output connections
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# filebeat test output elasticsearch: https://192.168.11.85:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 192.168.11.85 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 9.1.0 |
⑦Enable Filebeat's Suricata module
Change modules.d/suricata.yml as follows
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# vi /etc/filebeat/modules.d/suricata.yml # Module: suricata # Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-suricata.html - module: suricata # All logs eve: enabled: true var.paths: ["/var/log/suricata/eve.json"] # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: |
Enable Filebeat's Suricata module
|
1 |
# filebeat modules enable suricata |
⑧Set up initial environment
Load the SIEM dashboard and pipeline into Elasticsearch
filebeat setup command
|
1 |
# filebeat setup -e |
⑨Filebeat service launched
|
1 |
# systemctl start filebeat.service |
⑩Check with Kibana
Log back into Kibana at accsess http://192.168.11.85:5601
Type "Suricata Events Overview" in the top search field and click [Filebeat Suricata]Events Overview
All Suricata events in the last 15 minutes are displayed
Click on the Alerts text next to the Suricata logo for malicious traffic alerts
Create a new user account so that you do not have to use the elastic superuser account.
Click on the three-line mark in the upper left corner and select "Stack Management" under "Management"
Select "security" and "Users"
Click on the "Create user" button in the upper right corner
Enter new user information, assign the roles kibana_admin, kibana_system, monitoring_user, and editor in Privileges, and finally click Create user
Log out of the current profile and confirm that you can log in with the newly created user account.