Debian12.5 ; Suricata + Elastic Stackでログの可視化とモニタリング

Contents

前提条件
1台目サーバー　Suricata インストール
ELK StackとSURICATAの統合
Filebeat インストールと設定
- 1. Filebeat インストール
Kibanaで確認

前提条件

今回はSuricata IDS と ElasticStack を次のサーバーにインストールします
・1台目サーバー　Suricata IDS & Filebeat　: Debian12.5 IPアドレス(192.168.11.83)
・2台目サーバー　ElasticStack & kibana　: Ubunru22.04 IPアドレス(192.168.11.100)
root以外のsudoユーザーで実行する

1台目サーバー　Suricata インストール

SURICATA IDS/IPSはネットワーク上の通信を監視し、不審なトラフィックを検知するオープンソースのIDSです。基本的な仕組みはシグネチャ型であるため、あらかじめ設定した不正な通信を検知できます。また、Suricataは検知だけでなく防御も行えることが特徴です。

1.Suricata のインストール

①必須パッケージをインストール

# apt install wget curl software-properties-common dirmngr apt-transport-https gnupg2 ca-certificates lsb-release debian-archive-keyring unzip -y

1	# apt install wget curl software-properties-common dirmngr apt-transport-https gnupg2 ca-certificates lsb-release debian-archive-keyring unzip -y

➁Suricata のインストール

# apt update
# apt install suricata

1 2	# apt update # apt install suricata

バージョンの確認

# suricata -V
This is Suricata version 6.0.10 RELEASE

1 2	# suricata -V This is Suricata version 6.0.10 RELEASE

Suricataサービスを最初に構成する必要があるため、サービスを停止します。

# systemctl stop suricata

1	# systemctl stop suricata

2.Suricataを構成

①Suricataがネットワークパケットを検査するインターフェースとIPアドレスを決定

# ip --brief add
lo               UNKNOWN        127.0.0.1/8 ::1/128
ens33            UP             192.168.11.83/24 fe80::20c:29ff:fef9:86e2/64

# ip --brief add

lo UNKNOWN 127.0.0.1/8 ::1/128

ens33 UP 192.168.11.83/24 fe80::20c:29ff:fef9:86e2/64

/etc/suricata/suricata.yamlファイル編集

# vi /etc/suricata/suricata.yaml
 
# 132行目 : 変更
community-id: false　→　community-id: true
# 589行目 : 変更
af-packet:
  - interface: eth0
↓
af-packet:
  - interface: ens33 ←各自のインターフェース名に変更

# vi /etc/suricata/suricata.yaml

# 132行目 : 変更

community-id: false　→　community-id: true

# 589行目 : 変更

af-packet:

- interface: eth0

↓

af-packet:

- interface: ens33 ←各自のインターフェース名に変更

➁ルールセットを追加

# suricata-update -o /etc/suricata/rules

13/2/2024 -- 14:27:58 - <Info> -- Using data-directory /var/lib/suricata.
13/2/2024 -- 14:27:58 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
13/2/2024 -- 14:27:58 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
13/2/2024 -- 14:27:58 - <Info> -- Found Suricata version 6.0.10 at /usr/bin/suricata.
13/2/2024 -- 14:27:58 - <Info> -- Loading /etc/suricata/suricata.yaml
13/2/2024 -- 14:27:58 - <Info> -- Disabling rules for protocol http2
13/2/2024 -- 14:27:58 - <Info> -- Disabling rules for protocol modbus
13/2/2024 -- 14:27:58 - <Info> -- Disabling rules for protocol dnp3
13/2/2024 -- 14:27:58 - <Info> -- Disabling rules for protocol enip
13/2/2024 -- 14:27:58 - <Info> -- No sources configured, will use Emerging Threats Open
13/2/2024 -- 14:27:58 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.10/emerging.rules.tar.gz.
 100% - 4232677/4232677
13/2/2024 -- 14:28:00 - <Info> -- Done.
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
13/2/2024 -- 14:28:01 - <Info> -- Ignoring file rules/emerging-deleted.rules
13/2/2024 -- 14:28:02 - <Info> -- Loaded 47405 rules.
13/2/2024 -- 14:28:02 - <Info> -- Disabled 14 rules.
13/2/2024 -- 14:28:02 - <Info> -- Enabled 0 rules.
13/2/2024 -- 14:28:02 - <Info> -- Modified 0 rules.
13/2/2024 -- 14:28:02 - <Info> -- Dropped 0 rules.
13/2/2024 -- 14:28:03 - <Info> -- Enabled 134 rules for flowbit dependencies.
13/2/2024 -- 14:28:03 - <Info> -- Backing up current rules.
13/2/2024 -- 14:28:03 - <Info> -- Writing rules to /etc/suricata/rules/suricata.rules: total: 47405; enabled: 36599; added: 47405; removed 0; modified: 0
13/2/2024 -- 14:28:03 - <Info> -- Writing /etc/suricata/rules/classification.config
13/2/2024 -- 14:28:03 - <Info> -- Testing with suricata -T.
13/2/2024 -- 14:28:25 - <Info> -- Done.

# suricata-update -o /etc/suricata/rules

13/2/2024 -- 14:27:58 - <Info> -- Using data-directory /var/lib/suricata.

13/2/2024 -- 14:27:58 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml

13/2/2024 -- 14:27:58 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.

13/2/2024 -- 14:27:58 - <Info> -- Found Suricata version 6.0.10 at /usr/bin/suricata.

13/2/2024 -- 14:27:58 - <Info> -- Loading /etc/suricata/suricata.yaml

13/2/2024 -- 14:27:58 - <Info> -- Disabling rules for protocol http2

13/2/2024 -- 14:27:58 - <Info> -- Disabling rules for protocol modbus

13/2/2024 -- 14:27:58 - <Info> -- Disabling rules for protocol dnp3

13/2/2024 -- 14:27:58 - <Info> -- Disabling rules for protocol enip

13/2/2024 -- 14:27:58 - <Info> -- No sources configured, will use Emerging Threats Open

13/2/2024 -- 14:27:58 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.10/emerging.rules.tar.gz.

100% - 4232677/4232677

13/2/2024 -- 14:28:00 - <Info> -- Done.

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules

13/2/2024 -- 14:28:01 - <Info> -- Ignoring file rules/emerging-deleted.rules

13/2/2024 -- 14:28:02 - <Info> -- Loaded 47405 rules.

13/2/2024 -- 14:28:02 - <Info> -- Disabled 14 rules.

13/2/2024 -- 14:28:02 - <Info> -- Enabled 0 rules.

13/2/2024 -- 14:28:02 - <Info> -- Modified 0 rules.

13/2/2024 -- 14:28:02 - <Info> -- Dropped 0 rules.

13/2/2024 -- 14:28:03 - <Info> -- Enabled 134 rules for flowbit dependencies.

13/2/2024 -- 14:28:03 - <Info> -- Backing up current rules.

13/2/2024 -- 14:28:03 - <Info> -- Writing rules to /etc/suricata/rules/suricata.rules: total: 47405; enabled: 36599; added: 47405; removed 0; modified: 0

13/2/2024 -- 14:28:03 - <Info> -- Writing /etc/suricata/rules/classification.config

13/2/2024 -- 14:28:03 - <Info> -- Testing with suricata -T.

13/2/2024 -- 14:28:25 - <Info> -- Done.

suricata-updateが無料のEmerging Threats ET Open Rulesを取得し、Suricataの/etc/suricata/rules/suricata.rulesファイルに保存したことを示しています。また、処理されたルールの数を示し、この例では47405が追加され、そのうち36599が有効になりました。

➂ルール・セット・プロバイダーの追加
既定のプロバイダーリストを一覧表示

# suricata-update list-sources

Name: et/open
  Vendor: Proofpoint
  Summary: Emerging Threats Open Ruleset
  License: MIT
Name: et/pro
  Vendor: Proofpoint
  Summary: Emerging Threats Pro Ruleset
  License: Commercial
  Replaces: et/open
  Parameters: secret-code
  Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
Name: oisf/trafficid
  Vendor: OISF
  Summary: Suricata Traffic ID ruleset
  License: MIT
Name: scwx/enhanced
  Vendor: Secureworks
  Summary: Secureworks suricata-enhanced ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/malware
  Vendor: Secureworks
  Summary: Secureworks suricata-malware ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/security
  Vendor: Secureworks
  Summary: Secureworks suricata-security ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: sslbl/ssl-fp-blacklist
  Vendor: Abuse.ch
  Summary: Abuse.ch SSL Blacklist
  License: Non-Commercial
Name: sslbl/ja3-fingerprints
  Vendor: Abuse.ch
  Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
  License: Non-Commercial
Name: etnetera/aggressive
  Vendor: Etnetera a.s.
  Summary: Etnetera aggressive IP blacklist
  License: MIT
Name: tgreen/hunting
  Vendor: tgreen
  Summary: Threat hunting rules
  License: GPLv3
Name: malsilo/win-malware
  Vendor: malsilo
  Summary: Commodity malware rules
  License: MIT
Name: stamus/lateral
  Vendor: Stamus Networks
  Summary: Lateral movement rules
  License: GPL-3.0-only
Name: stamus/nrd-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, complete
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, complete
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-entropy-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, high entropy
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-entropy-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, high entropy
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-phishing-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, phishing
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-phishing-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, phishing
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed

# suricata-update list-sources

Name: et/open

Vendor: Proofpoint

Summary: Emerging Threats Open Ruleset

License: MIT

Name: et/pro

Vendor: Proofpoint

Summary: Emerging Threats Pro Ruleset

License: Commercial

Replaces: et/open

Parameters: secret-code

Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset

Name: oisf/trafficid

Vendor: OISF

Summary: Suricata Traffic ID ruleset

License: MIT

Name: scwx/enhanced

Vendor: Secureworks

Summary: Secureworks suricata-enhanced ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: scwx/malware

Vendor: Secureworks

Summary: Secureworks suricata-malware ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: scwx/security

Vendor: Secureworks

Summary: Secureworks suricata-security ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: sslbl/ssl-fp-blacklist

Vendor: Abuse.ch

Summary: Abuse.ch SSL Blacklist

License: Non-Commercial

Name: sslbl/ja3-fingerprints

Vendor: Abuse.ch

Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset

License: Non-Commercial

Name: etnetera/aggressive

Vendor: Etnetera a.s.

Summary: Etnetera aggressive IP blacklist

License: MIT

Name: tgreen/hunting

Vendor: tgreen

Summary: Threat hunting rules

License: GPLv3

Name: malsilo/win-malware

Vendor: malsilo

Summary: Commodity malware rules

License: MIT

Name: stamus/lateral

Vendor: Stamus Networks

Summary: Lateral movement rules

License: GPL-3.0-only

Name: stamus/nrd-30-open

Vendor: Stamus Networks

Summary: Newly Registered Domains Open only - 30 day list, complete

License: Commercial

Parameters: secret-code