ArchLinux : Suricata Elasticsearchで可視化

Contents

前提条件
1台目サーバー　Suricata インストール
ELK StackとSURICATAの統合
Kibanaインストール
SURICATAサーバにFilebeatをインストール

前提条件

1.Suricata
SURICATA IDS/IPSはネットワーク上の通信を監視し、不審なトラフィックを検知するオープンソースのIDSです。基本的な仕組みはシグネチャ型であるため、あらかじめ設定した不正な通信を検知できます。また、Suricataは検知だけでなく防御も行えることが特徴です。

2.Elastic Stack,Kibana,Filebeat
Elastic Stackをインストール＆設定して、Kibana,Filebeatを使用してSURICATAのログを可視化＆検索できるようにする

今回はSuricata IDS と ElasticStack を次のサーバーにインストールします
・1台目サーバー　Suricata IDS & Filebeat　: ArchLinux IPアドレス(192.168.11.83)
・2台目サーバー　ElasticStack & kibana　: Debian13.x IPアドレス(192.168.11.85)
今回はrootユーザーで実行します

1台目サーバー　Suricata インストール

1.Suricata のインストールと設定

①Suricata のインストール

# su - huong
$ yay -S suricata-nfqueue

バージョンチェック
# suricata -V
This is Suricata version 8.0.2 RELEASE

# su - huong

$ yay -S suricata-nfqueue

バージョンチェック

# suricata -V

This is Suricata version 8.0.2 RELEASE

➁必要なカーネルモジュールの確認とロード
NFQUEUEを使用するには、カーネルがnfnetlink_queueをサポートしている必要があります。
モジュールの確認:

# lsmod | grep nfnetlink_queue

1	# lsmod \| grep nfnetlink_queue

上記で何も表示されない場合、モジュールをロードする

# modprobe nfnetlink_queue

1	# modprobe nfnetlink_queue

再度確認

# lsmod | grep nfnetlink_queue
nfnetlink_queue        32768  1
nfnetlink              20480  4 nfnetlink_queue

# lsmod | grep nfnetlink_queue

nfnetlink_queue 32768 1

nfnetlink 20480 4 nfnetlink_queue

再起動後も有効にする

# echo "nfnetlink_queue" | tee /etc/modules-load.d/nfqueue.conf

1	# echo "nfnetlink_queue" \| tee /etc/modules-load.d/nfqueue.conf

➂Suricataがネットワークパケットを検査するインターフェースとIPアドレスを決定

# ip --brief add
lo               UNKNOWN        127.0.0.1/8 ::1/128 
ens33            UP             192.168.11.83/24 fe80::20c:29ff:fe17:39f1/64

# ip --brief add

lo UNKNOWN 127.0.0.1/8 ::1/128

ens33 UP 192.168.11.83/24 fe80::20c:29ff:fe17:39f1/64

④設定ファイルを編集

# vi /etc/suricata/suricata.yaml

# 18行目 : コメントアウトしてその下に追加(varsセクションで、ネットワークを定義する)
#HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
HOME_NET: "[192.168.11.0/24]"

# 158行目あたり : 変更
community-id: false　→　community-id: true

# 661行目あたり : af-packetセクションのインターフェース名を設定
af-packet:
    - interface: ens33

# vi /etc/suricata/suricata.yaml

# 18行目 : コメントアウトしてその下に追加(varsセクションで、ネットワークを定義する)

#HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

HOME_NET: "[192.168.11.0/24]"

# 158行目あたり : 変更

community-id: false　→　community-id: true

# 661行目あたり : af-packetセクションのインターフェース名を設定

af-packet:

- interface: ens33

ディレクトリーの所有権、実行権限を設定

# chown -R root:root /tmp
# chmod 775 /tmp

1 2	# chown -R root:root /tmp # chmod 775 /tmp

⑤Suricataの起動

# systemctl start suricata
# systemctl enable --now suricata
Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service.

# systemctl start suricata

# systemctl enable --now suricata

Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service.

⑥Suricataの起動確認

# systemctl status suricata
● suricata.service - Suricata IDS/IPS daemon
     Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled)
     Active: active (running) since Sat 2026-03-07 09:51:32 JST; 15s ago
 Invocation: 5dd2b3c4d6844e2083a178dc38022b22
   Main PID: 32508 (Suricata-Main)
      Tasks: 10 (limit: 4604)
     Memory: 46.8M (peak: 47M)
        CPU: 179ms
     CGroup: /system.slice/suricata.service
             └─32508 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata/suricata.pid -q 0

Mar 07 09:51:32 Lepard systemd[1]: Started Suricata IDS/IPS daemon.
Mar 07 09:51:32 Lepard suricata[32508]: Info: conf-yaml-loader: Including configuration file local.yaml.
Mar 07 09:51:32 Lepard suricata[32508]: i: suricata: This is Suricata version 8.0.2 RELEASE running in SYSTEM mode
Mar 07 09:51:32 Lepard suricata[32508]: W: detect: No rule files match the pattern /var/lib/suricata/rules/suricata.rules
Mar 07 09:51:32 Lepard suricata[32508]: W: detect: 2 rule files specified, but no rules were loaded!
Mar 07 09:51:32 Lepard suricata[32508]: i: mpm-hs: Rule group caching - loaded: 0 newly cached: 0 total cacheable: 0
Mar 07 09:51:32 Lepard suricata[32508]: i: threads: Threads created -> RX: 1 W: 2 TX: 1 FM: 1 FR: 1   Engine started.

# systemctl status suricata

● suricata.service - Suricata IDS/IPS daemon

Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled)

Active: active (running) since Sat 2026-03-07 09:51:32 JST; 15s ago

Invocation: 5dd2b3c4d6844e2083a178dc38022b22

Main PID: 32508 (Suricata-Main)

Tasks: 10 (limit: 4604)

Memory: 46.8M (peak: 47M)

CPU: 179ms

CGroup: /system.slice/suricata.service

└─32508 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata/suricata.pid -q 0

Mar 07 09:51:32 Lepard systemd[1]: Started Suricata IDS/IPS daemon.

Mar 07 09:51:32 Lepard suricata[32508]: Info: conf-yaml-loader: Including configuration file local.yaml.

Mar 07 09:51:32 Lepard suricata[32508]: i: suricata: This is Suricata version 8.0.2 RELEASE running in SYSTEM mode

Mar 07 09:51:32 Lepard suricata[32508]: W: detect: No rule files match the pattern /var/lib/suricata/rules/suricata.rules

Mar 07 09:51:32 Lepard suricata[32508]: W: detect: 2 rule files specified, but no rules were loaded!

Mar 07 09:51:32 Lepard suricata[32508]: i: mpm-hs: Rule group caching - loaded: 0 newly cached: 0 total cacheable: 0

Mar 07 09:51:32 Lepard suricata[32508]: i: threads: Threads created -> RX: 1 W: 2 TX: 1 FM: 1 FR: 1 Engine started.

ログを確認

# tail /var/log/suricata/suricata.log

1	# tail /var/log/suricata/suricata.log

統計情報を確認するには、stats.log ファイルを確認します(デフォルトで8秒ごとに更新)

# tail -f /var/log/suricata/stats.log

1	# tail -f /var/log/suricata/stats.log

より高度な出力であるEVE JSONは、以下のコマンドで生成することができる

# tail -f /var/log/suricata/eve.json

1	# tail -f /var/log/suricata/eve.json

2.Suricata のテスト

①一時的にnfqueueモードを停止する

# vi /usr/lib/systemd/system/suricata.service

12行目 : コメントにして、その下に追加
#ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata/suricata.pid -q 0
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata/suricata.pid -i ens33 --user suricata

# vi /usr/lib/systemd/system/suricata.service

12行目 : コメントにして、その下に追加

#ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata/suricata.pid -q 0

ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata/suricata.pid -i ens33 --user suricata

➁curl ユーティリティで ping テストを実行

# curl http://testmynids.org/uid/index.html
uid=0(root) gid=0(root) groups=0(root)

1 2	# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root)

➂指定されたルール番号を使用してログファイルを確認する
Suricataには、デフォルトで有効になっている次の2つのログファイルが付属しています。

/var/log/suricata/fast.log
/var/log/suricata/eve.log
curlリクエストに対応するログエントリーを確認するために、/var/log/suricata/fast.log ログファイルをgrepコマンドを使用してチェックします。2100498 ルール識別子を使用してログエントリーを検索します。(IPv4の場合)

# grep 2100498 /var/log/suricata/fast.log

03/07/2026-10:18:54.244566  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 13.249.165.123:80 -> 192.168.11.83:53322

# grep 2100498 /var/log/suricata/fast.log

03/07/2026-10:18:54.244566 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 13.249.165.123:80 -> 192.168.11.83:53322

④/var/log/suricata/eve.log のイベント確認

jq をインストール

# pacman -S jq

1	# pacman -S jq

2100498シグネチャを検索して、EVEログのイベントをフィルタリング
2100498の値と一致するsignature_idキーを持つalertオブジェクトを表示

# jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json

{
  "timestamp": "2026-03-07T10:18:54.244566+0900",
  "flow_id": 1792631861341614,
  "in_iface": "ens33",
  "event_type": "alert",
  "src_ip": "13.249.165.123",
  "src_port": 80,
  "dest_ip": "192.168.11.83",
  "dest_port": 53322,
  "proto": "TCP",
  "ip_v": 4,
  "pkt_src": "wire/pcap",
  "community_id": "1:szOE3aOZBYbhTrHzHaSvbQf2ZA4=",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2100498,
    "rev": 7,
    "signature": "GPL ATTACK_RESPONSE id check returned root",
    "category": "Potentially Bad Traffic",
    "severity": 2,
    "metadata": {
      "confidence": [
        "Medium"
      ],
      "created_at": [
        "2010_09_23"
      ],
      "signature_severity": [
        "Informational"
      ],
      "updated_at": [
        "2019_07_26"
      ]
    }
  },
  "app_proto": "http",
  "direction": "to_client",
  "flow": {
    "pkts_toserver": 5,
    "pkts_toclient": 4,
    "bytes_toserver": 430,
    "bytes_toclient": 810,
    "start": "2026-03-07T10:18:54.220771+0900",
    "src_ip": "192.168.11.83",
    "dest_ip": "13.249.165.123",
    "src_port": 53322,
    "dest_port": 80
  }
}

# jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json

{

"timestamp": "2026-03-07T10:18:54.244566+0900",

"flow_id": 1792631861341614,

"in_iface": "ens33",

"event_type": "alert",

"src_ip": "13.249.165.123",

"src_port": 80,

"dest_ip": "192.168.11.83",

"dest_port": 53322,

"proto": "TCP",

"ip_v": 4,

"pkt_src": "wire/pcap",

"community_id": "1:szOE3aOZBYbhTrHzHaSvbQf2ZA4=",

"alert": {

"action": "allowed",

"gid": 1,

"signature_id": 2100498,

"rev": 7,

"signature": "GPL ATTACK_RESPONSE id check returned root",

"category": "Potentially Bad Traffic",

"severity": 2,

"metadata": {

"confidence": [

"Medium"

"created_at": [

"2010_09_23"

"signature_severity": [

"Informational"

"updated_at": [

"2019_07_26"

]

}

"app_proto": "http",

"direction": "to_client",

"flow": {

"pkts_toserver": 5,

"pkts_toclient": 4,

"bytes_toserver": 430,

"bytes_toclient": 810,

"start": "2026-03-07T10:18:54.220771+0900",

"src_ip": "192.168.11.83",

"dest_ip": "13.249.165.123",

"src_port": 53322,

"dest_port": 80

}

3.Suricata Rulesの設定

①Suricataにパッケージされているルールセットの表示

# ls -al /var/lib/suricata/rules/
total 41668
drwxr-x--- 2 suricata suricata     4096 Mar  2 15:15 .
drwxr-x--- 5 suricata suricata     4096 Mar  2 15:11 ..
-rw-r--r-- 1 root     root         3228 Mar  2 15:15 classification.config
-rw-r----- 1 suricata suricata        0 Mar  2 15:05 local.rules
-rw-r--r-- 1 root     root     42654947 Mar  2 15:15 suricata.rules

# ls -al /var/lib/suricata/rules/

total 41668

drwxr-x--- 2 suricata suricata 4096 Mar 2 15:15 .

drwxr-x--- 5 suricata suricata 4096 Mar 2 15:11 ..

-rw-r--r-- 1 root root 3228 Mar 2 15:15 classification.config

-rw-r----- 1 suricata suricata 0 Mar 2 15:05 local.rules

-rw-r--r-- 1 root root 42654947 Mar 2 15:15 suricata.rules

②ルールセットを提供するソースのインデックス一覧

# suricata-update list-sources

Name: abuse.ch/feodotracker
  Vendor: Abuse.ch
  Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset
  License: CC0-1.0
Name: abuse.ch/sslbl-blacklist
  Vendor: Abuse.ch
  Summary: Abuse.ch SSL Blacklist
  License: CC0-1.0
  Replaces: sslbl/ssl-fp-blacklist
Name: abuse.ch/sslbl-c2
  Vendor: Abuse.ch
  Summary: Abuse.ch Suricata Botnet C2 IP Ruleset
  License: CC0-1.0
Name: abuse.ch/sslbl-ja3
  Vendor: Abuse.ch
  Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
  License: CC0-1.0
  Replaces: sslbl/ja3-fingerprints
Name: abuse.ch/urlhaus
  Vendor: abuse.ch
  Summary: Abuse.ch URLhaus Suricata Rules
  License: CC0-1.0
Name: aleksibovellan/nmap
  Vendor: aleksibovellan
  Summary: Suricata IDS/IPS Detection Rules Against NMAP Scans
  License: MIT
Name: et/open
  Vendor: Proofpoint
  Summary: Emerging Threats Open Ruleset
  License: MIT
Name: et/pro
  Vendor: Proofpoint
  Summary: Emerging Threats Pro Ruleset
  License: Commercial
  Replaces: et/open
  Parameters: secret-code
  Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
Name: etnetera/aggressive
  Vendor: Etnetera a.s.
  Summary: Etnetera aggressive IP blacklist
  License: MIT
Name: oisf/trafficid
  Vendor: OISF
  Summary: Suricata Traffic ID ruleset
  License: MIT
Name: pawpatrules
  Vendor: pawpatrules
  Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine
  License: CC-BY-SA-4.0
Name: ptrules/open
  Vendor: Positive Technologies
  Summary: Positive Technologies Open Ruleset
  License: Custom
Name: scwx/enhanced
  Vendor: Secureworks
  Summary: Secureworks suricata-enhanced ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/malware
  Vendor: Secureworks
  Summary: Secureworks suricata-malware ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/security
  Vendor: Secureworks
  Summary: Secureworks suricata-security ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: stamus/lateral
  Vendor: Stamus Networks
  Summary: Lateral movement rules
  License: GPL-3.0-only
Name: stamus/nrd-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, complete
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, complete
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-entropy-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, high entropy
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-entropy-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, high entropy
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-phishing-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, phishing
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-phishing-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, phishing
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: tgreen/hunting
  Vendor: tgreen
  Summary: Threat hunting rules
  License: GPLv3

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

# suricata-update list-sources

Name: abuse.ch/feodotracker

Vendor: Abuse.ch

Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset

License: CC0-1.0

Name: abuse.ch/sslbl-blacklist

Vendor: Abuse.ch

Summary: Abuse.ch SSL Blacklist

License: CC0-1.0

Replaces: sslbl/ssl-fp-blacklist

Name: abuse.ch/sslbl-c2

Vendor: Abuse.ch

Summary: Abuse.ch Suricata Botnet C2 IP Ruleset

License: CC0-1.0

Name: abuse.ch/sslbl-ja3

Vendor: Abuse.ch

Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset

License: CC0-1.0

Replaces: sslbl/ja3-fingerprints

Name: abuse.ch/urlhaus

Vendor: abuse.ch

Summary: Abuse.ch URLhaus Suricata Rules

License: CC0-1.0

Name: aleksibovellan/nmap

Vendor: aleksibovellan

Summary: Suricata IDS/IPS Detection Rules Against NMAP Scans

License: MIT

Name: et/open

Vendor: Proofpoint

Summary: Emerging Threats Open Ruleset

License: MIT

Name: et/pro

Vendor: Proofpoint

Summary: Emerging Threats Pro Ruleset

License: Commercial

Replaces: et/open

Parameters: secret-code

Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset

Name: etnetera/aggressive

Vendor: Etnetera a.s.

Summary: Etnetera aggressive IP blacklist

License: MIT

Name: oisf/trafficid

Vendor: OISF

Summary: Suricata Traffic ID ruleset

License: MIT

Name: pawpatrules

Vendor: pawpatrules

Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine

License: CC-BY-SA-4.0

Name: ptrules/open

Vendor: Positive Technologies

Summary: Positive Technologies Open Ruleset

License: Custom

Name: scwx/enhanced

Vendor: Secureworks

Summary: Secureworks suricata-enhanced ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: scwx/malware

Vendor: Secureworks

Summary: Secureworks suricata-malware ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: scwx/security

Vendor: Secureworks

Summary: Secureworks suricata-security ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: stamus/lateral

Vendor: Stamus Networks

Summary: Lateral movement rules

License: GPL-3.0-only

Name: stamus/nrd-14-open

Vendor: Stamus Networks

Summary: Newly Registered Domains Open only - 14 day list, complete

License: Commercial

Parameters: secret-code