Debian12.8 ; Suricata + Elastic Stackでログの可視化とモニタリング

Contents

前提条件
1台目サーバー　Suricata インストール
ELK StackとSURICATAの統合
Filebeat インストールと設定
- 1. Filebeat インストール
Kibanaで確認

前提条件

今回はSuricata IDS と ElasticStack を次のサーバーにインストールします
・1台目サーバー　Suricata IDS & Filebeat　: Debian12.8 IPアドレス(192.168.11.83)
・2台目サーバー　ElasticStack & kibana　: Ubuntu24.04 IPアドレス(192.168.11.200)
root以外のsudoユーザーで実行する

1台目サーバー　Suricata インストール

SURICATA IDS/IPSはネットワーク上の通信を監視し、不審なトラフィックを検知するオープンソースのIDSです。基本的な仕組みはシグネチャ型であるため、あらかじめ設定した不正な通信を検知できます。また、Suricataは検知だけでなく防御も行えることが特徴です。

1.Suricata のインストール

①必須パッケージをインストール

# apt install wget curl software-properties-common dirmngr apt-transport-https gnupg2 ca-certificates lsb-release debian-archive-keyring unzip -y

1	# apt install wget curl software-properties-common dirmngr apt-transport-https gnupg2 ca-certificates lsb-release debian-archive-keyring unzip -y

➁Suricata のインストール

# apt update
# apt install suricata

1 2	# apt update # apt install suricata

バージョンの確認

# suricata -V
This is Suricata version 6.0.10 RELEASE

1 2	# suricata -V This is Suricata version 6.0.10 RELEASE

Suricataサービスを最初に構成する必要があるため、サービスを停止します。

# systemctl stop suricata

1	# systemctl stop suricata

2.Suricataを構成

①Suricataがネットワークパケットを検査するインターフェースとIPアドレスを決定

# ip --brief add
lo               UNKNOWN        127.0.0.1/8 ::1/128
ens33            UP             192.168.11.83/24

# ip --brief add

lo UNKNOWN 127.0.0.1/8 ::1/128

ens33 UP 192.168.11.83/24

/etc/suricata/suricata.yamlファイル編集

# vi /etc/suricata/suricata.yaml
 
# 18行目 : 変更(自ネットワーク)
HOME_NET: "[192.168.11.0/24]"

# 132行目 : 変更
community-id: false　→　community-id: true

# 589行目 : 変更
af-packet:
  - interface: eth0
↓
af-packet:
  - interface: ens33 ←各自のインターフェース名に変更

# vi /etc/suricata/suricata.yaml

# 18行目 : 変更(自ネットワーク)

HOME_NET: "[192.168.11.0/24]"

# 132行目 : 変更

community-id: false　→　community-id: true

# 589行目 : 変更

af-packet:

- interface: eth0

↓

af-packet:

- interface: ens33 ←各自のインターフェース名に変更

➁ルールセットを追加

# suricata-update -o /etc/suricata/rules

19/11/2024 -- 12:26:56 - <Info> -- Using data-directory /var/lib/suricata.
19/11/2024 -- 12:26:56 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
19/11/2024 -- 12:26:56 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
19/11/2024 -- 12:26:56 - <Info> -- Found Suricata version 6.0.10 at /usr/bin/suricata.
19/11/2024 -- 12:26:56 - <Info> -- Loading /etc/suricata/suricata.yaml
19/11/2024 -- 12:26:56 - <Info> -- Disabling rules for protocol http2
19/11/2024 -- 12:26:56 - <Info> -- Disabling rules for protocol modbus
19/11/2024 -- 12:26:56 - <Info> -- Disabling rules for protocol dnp3
19/11/2024 -- 12:26:56 - <Info> -- Disabling rules for protocol enip
19/11/2024 -- 12:26:56 - <Info> -- No sources configured, will use Emerging Threats Open
19/11/2024 -- 12:26:56 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.10/emerging.rules.tar.gz.
 100% - 4599733/4599733
19/11/2024 -- 12:26:59 - <Info> -- Done.
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
19/11/2024 -- 12:26:59 - <Info> -- Ignoring file rules/emerging-deleted.rules
19/11/2024 -- 12:27:01 - <Info> -- Loaded 54361 rules.
19/11/2024 -- 12:27:01 - <Info> -- Disabled 14 rules.
19/11/2024 -- 12:27:01 - <Info> -- Enabled 0 rules.
19/11/2024 -- 12:27:01 - <Info> -- Modified 0 rules.
19/11/2024 -- 12:27:01 - <Info> -- Dropped 0 rules.
19/11/2024 -- 12:27:02 - <Info> -- Enabled 136 rules for flowbit dependencies.
19/11/2024 -- 12:27:02 - <Info> -- Backing up current rules.
19/11/2024 -- 12:27:02 - <Info> -- Writing rules to /etc/suricata/rules/suricata.rules: total: 54361; enabled: 40645; added: 54361; removed 0; modified: 0
19/11/2024 -- 12:27:02 - <Info> -- Writing /etc/suricata/rules/classification.config
19/11/2024 -- 12:27:02 - <Info> -- Testing with suricata -T.
19/11/2024 -- 12:27:28 - <Info> -- Done.

# suricata-update -o /etc/suricata/rules

19/11/2024 -- 12:26:56 - <Info> -- Using data-directory /var/lib/suricata.

19/11/2024 -- 12:26:56 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml

19/11/2024 -- 12:26:56 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.

19/11/2024 -- 12:26:56 - <Info> -- Found Suricata version 6.0.10 at /usr/bin/suricata.

19/11/2024 -- 12:26:56 - <Info> -- Loading /etc/suricata/suricata.yaml

19/11/2024 -- 12:26:56 - <Info> -- Disabling rules for protocol http2

19/11/2024 -- 12:26:56 - <Info> -- Disabling rules for protocol modbus

19/11/2024 -- 12:26:56 - <Info> -- Disabling rules for protocol dnp3

19/11/2024 -- 12:26:56 - <Info> -- Disabling rules for protocol enip

19/11/2024 -- 12:26:56 - <Info> -- No sources configured, will use Emerging Threats Open

19/11/2024 -- 12:26:56 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.10/emerging.rules.tar.gz.

100% - 4599733/4599733

19/11/2024 -- 12:26:59 - <Info> -- Done.

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules

19/11/2024 -- 12:26:59 - <Info> -- Ignoring file rules/emerging-deleted.rules

19/11/2024 -- 12:27:01 - <Info> -- Loaded 54361 rules.

19/11/2024 -- 12:27:01 - <Info> -- Disabled 14 rules.

19/11/2024 -- 12:27:01 - <Info> -- Enabled 0 rules.

19/11/2024 -- 12:27:01 - <Info> -- Modified 0 rules.

19/11/2024 -- 12:27:01 - <Info> -- Dropped 0 rules.

19/11/2024 -- 12:27:02 - <Info> -- Enabled 136 rules for flowbit dependencies.

19/11/2024 -- 12:27:02 - <Info> -- Backing up current rules.

19/11/2024 -- 12:27:02 - <Info> -- Writing rules to /etc/suricata/rules/suricata.rules: total: 54361; enabled: 40645; added: 54361; removed 0; modified: 0

19/11/2024 -- 12:27:02 - <Info> -- Writing /etc/suricata/rules/classification.config

19/11/2024 -- 12:27:02 - <Info> -- Testing with suricata -T.

19/11/2024 -- 12:27:28 - <Info> -- Done.

suricata-updateが無料のEmerging Threats ET Open Rulesを取得し、Suricataの/etc/suricata/rules/suricata.rulesファイルに保存したことを示しています。また、処理されたルールの数を示し、この例では54361が追加され、そのうち40645が有効になりました。

➂ルール・セット・プロバイダーの追加
既定のプロバイダーリストを一覧表示

# suricata-update list-sources

Name: et/open
  Vendor: Proofpoint
  Summary: Emerging Threats Open Ruleset
  License: MIT
Name: et/pro
  Vendor: Proofpoint
  Summary: Emerging Threats Pro Ruleset
  License: Commercial
  Replaces: et/open
  Parameters: secret-code
  Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
Name: oisf/trafficid
  Vendor: OISF
  Summary: Suricata Traffic ID ruleset
  License: MIT
Name: scwx/enhanced
  Vendor: Secureworks
  Summary: Secureworks suricata-enhanced ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/malware
  Vendor: Secureworks
  Summary: Secureworks suricata-malware ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/security
  Vendor: Secureworks
  Summary: Secureworks suricata-security ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: abuse.ch/sslbl-blacklist
  Vendor: Abuse.ch
  Summary: Abuse.ch SSL Blacklist
  License: CC0-1.0
  Replaces: sslbl/ssl-fp-blacklist
Name: abuse.ch/sslbl-ja3
  Vendor: Abuse.ch
  Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
  License: CC0-1.0
  Replaces: sslbl/ja3-fingerprints
Name: abuse.ch/sslbl-c2
  Vendor: Abuse.ch
  Summary: Abuse.ch Suricata Botnet C2 IP Ruleset
  License: CC0-1.0
Name: abuse.ch/feodotracker
  Vendor: Abuse.ch
  Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset
  License: CC0-1.0
Name: abuse.ch/urlhaus
  Vendor: abuse.ch
  Summary: Abuse.ch URLhaus Suricata Rules
  License: CC0-1.0
Name: etnetera/aggressive
  Vendor: Etnetera a.s.
  Summary: Etnetera aggressive IP blacklist
  License: MIT
Name: tgreen/hunting
  Vendor: tgreen
  Summary: Threat hunting rules
  License: GPLv3
Name: malsilo/win-malware
  Vendor: malsilo
  Summary: Commodity malware rules
  License: MIT
Name: stamus/lateral
  Vendor: Stamus Networks
  Summary: Lateral movement rules
  License: GPL-3.0-only
Name: stamus/nrd-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, complete
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, complete
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-entropy-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, high entropy
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-entropy-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, high entropy
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-phishing-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, phishing
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-phishing-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, phishing
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: pawpatrules
  Vendor: pawpatrules
  Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine
  License: CC-BY-SA-4.0
Name: ptrules/open
  Vendor: Positive Technologies
  Summary: Positive Technologies Open Ruleset
  License: Custom
Name: aleksibovellan/nmap
  Vendor: aleksibovellan
  Summary: Suricata IDS/IPS Detection Rules Against NMAP Scans
  License: MIT

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

# suricata-update list-sources

Name: et/open

Vendor: Proofpoint

Summary: Emerging Threats Open Ruleset

License: MIT

Name: et/pro

Vendor: Proofpoint

Summary: Emerging Threats Pro Ruleset

License: Commercial

Replaces: et/open

Parameters: secret-code

Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset

Name: oisf/trafficid

Vendor: OISF

Summary: Suricata Traffic ID ruleset

License: MIT

Name: scwx/enhanced

Vendor: Secureworks

Summary: Secureworks suricata-enhanced ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: scwx/malware

Vendor: Secureworks

Summary: Secureworks suricata-malware ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: scwx/security

Vendor: Secureworks

Summary: Secureworks suricata-security ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: abuse.ch/sslbl-blacklist

Vendor: Abuse.ch

Summary: Abuse.ch SSL Blacklist

License: CC0-1.0

Replaces: sslbl/ssl-fp-blacklist

Name: abuse.ch/sslbl-ja3

Vendor: Abuse.ch

Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset

License: CC0-1.0

Replaces: sslbl/ja3-fingerprints

Name: abuse.ch/sslbl-c2

Vendor: Abuse.ch

Summary: Abuse.ch Suricata Botnet C2 IP Ruleset

License: CC0-1.0

Name: abuse.ch/feodotracker

Vendor: Abuse.ch

Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset

License: CC0-1.0

Name: abuse.ch/urlhaus

Vendor: abuse.ch

Summary: Abuse.ch URLhaus Suricata Rules

License: CC0-1.0

Name: etnetera/aggressive

Vendor: Etnetera a.s.

Summary: Etnetera aggressive IP blacklist

License: MIT

Name: tgreen/hunting

Vendor: tgreen

Summary: Threat hunting rules

License: GPLv3

Name: malsilo/win-malware

Vendor: malsilo

Summary: Commodity malware rules

License: MIT

Name: stamus/lateral

Vendor: Stamus Networks

Summary: Lateral movement rules

License: GPL-3.0-only

Name: stamus/nrd-30-open

Vendor: Stamus Networks

Summary: Newly Registered Domains Open only - 30 day list, complete

License: Commercial

Parameters: secret-code