Debian13.1 : Suricata + Elastic Stackでログの可視化とモニタリング

Contents

前提条件
1台目サーバー　Suricata インストール

前提条件

今回はSuricata IDS と ElasticStack を次のサーバーにインストールします
・1台目サーバー　Suricata IDS & Filebeat　: Debian13.1 IPアドレス(192.168.11.83)
・2台目サーバー　ElasticStack & kibana　: Ubuntu24.04 IPアドレス(192.168.11.85)
root以外のsudoユーザーで実行する

1台目サーバー　Suricata インストール

SURICATA IDS/IPSはネットワーク上の通信を監視し、不審なトラフィックを検知するオープンソースのIDSです。基本的な仕組みはシグネチャ型であるため、あらかじめ設定した不正な通信を検知できます。また、Suricataは検知だけでなく防御も行えることが特徴です。

1.Suricata のインストール

①必須パッケージをインストール

# apt -y install wget curl dirmngr apt-transport-https gnupg2 ca-certificates lsb-release debian-archive-keyring unzip

1	# apt -y install wget curl dirmngr apt-transport-https gnupg2 ca-certificates lsb-release debian-archive-keyring unzip

➁Suricata のインストール

# apt update
# apt -y install suricata

1 2	# apt update # apt -y install suricata

バージョンの確認

# suricata -V
This is Suricata version 7.0.10 RELEASE

1 2	# suricata -V This is Suricata version 7.0.10 RELEASE

システムの再起動時に実行されるように suricata.service を有効にします

# systemctl enable suricata.service

Synchronizing state of suricata.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable suricata

# systemctl enable suricata.service

Synchronizing state of suricata.service with SysV service script with /lib/systemd/systemd-sysv-install.

Executing: /lib/systemd/systemd-sysv-install enable suricata

Suricataサービスを最初に構成する必要があるため、サービスを停止します。

# systemctl stop suricata.service

1	# systemctl stop suricata.service

2.Suricataを構成

①Suricataがネットワークパケットを検査するインターフェースとIPアドレスを決定

# ip --brief add
lo               UNKNOWN        127.0.0.1/8 ::1/128
ens33            UP             192.168.11.83/24 fe80::20c:29ff:febf:c38f/64

# ip --brief add

lo UNKNOWN 127.0.0.1/8 ::1/128

ens33 UP 192.168.11.83/24 fe80::20c:29ff:febf:c38f/64

/etc/suricata/suricata.yamlファイル編集

# vi /etc/suricata/suricata.yaml
 
# 18行目 : 変更(自ネットワーク)
HOME_NET: "[192.168.11.0/24]"

# 136行目あたり : 変更
community-id: false　→　community-id: true

# 623行目あたり : 変更
af-packet:
  - interface: eth0
↓
af-packet:
  - interface: ens33 ←各自のインターフェース名に変更

# vi /etc/suricata/suricata.yaml

# 18行目 : 変更(自ネットワーク)

HOME_NET: "[192.168.11.0/24]"

# 136行目あたり : 変更

community-id: false　→　community-id: true

# 623行目あたり : 変更

af-packet:

- interface: eth0

↓

af-packet:

- interface: ens33 ←各自のインターフェース名に変更

➁ルールセットを追加
Suricata には suricata-update というツールがあり、外部プロバイダーからルールセットを取得することができます。以下のように実行すると、SURICATAサーバーの最新のルールセットをダウンロードできます

# suricata-update -o /var/lib/suricata/rules

12/10/2025 -- 12:50:54 - <Info> -- Using data-directory /var/lib/suricata.
12/10/2025 -- 12:50:54 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
12/10/2025 -- 12:50:54 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
12/10/2025 -- 12:50:54 - <Info> -- Found Suricata version 7.0.10 at /usr/bin/suricata.
12/10/2025 -- 12:50:54 - <Info> -- Loading /etc/suricata/suricata.yaml
12/10/2025 -- 12:50:54 - <Info> -- Disabling rules for protocol pgsql
12/10/2025 -- 12:50:54 - <Info> -- Disabling rules for protocol modbus
12/10/2025 -- 12:50:54 - <Info> -- Disabling rules for protocol dnp3
12/10/2025 -- 12:50:54 - <Info> -- Disabling rules for protocol enip
12/10/2025 -- 12:50:54 - <Warning> -- No index exists, will use bundled index.
12/10/2025 -- 12:50:54 - <Warning> -- Please run suricata-update update-sources.
12/10/2025 -- 12:50:54 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-7.0.10/emerging.rules.tar.gz.md5.
12/10/2025 -- 12:50:55 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-7.0.10/emerging.rules.tar.gz.
 100% - 5114492/5114492
12/10/2025 -- 12:50:57 - <Info> -- Done.
12/10/2025 -- 12:50:58 - <Info> -- Fetching https://github.com/travisbgreen/hunting-rules/raw/master/hunting.rules.tar.gz.
 100% - 12698/12698
12/10/2025 -- 12:50:58 - <Info> -- Done.
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/http2-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/mqtt-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/quic-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/rfb-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/ssh-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
12/10/2025 -- 12:50:58 - <Info> -- Ignoring file f625293e2432dbf07497d06349de6f0b/rules/emerging-deleted.rules
12/10/2025 -- 12:50:59 - <Info> -- Loaded 61848 rules.
12/10/2025 -- 12:51:00 - <Info> -- Disabled 13 rules.
12/10/2025 -- 12:51:00 - <Info> -- Enabled 0 rules.
12/10/2025 -- 12:51:00 - <Info> -- Modified 0 rules.
12/10/2025 -- 12:51:00 - <Info> -- Dropped 0 rules.
12/10/2025 -- 12:51:00 - <Info> -- Enabled 136 rules for flowbit dependencies.
12/10/2025 -- 12:51:00 - <Info> -- Backing up current rules.
12/10/2025 -- 12:51:00 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 61848; enabled: 46019; added: 61848; removed 0; modified: 0
12/10/2025 -- 12:51:00 - <Info> -- Writing /var/lib/suricata/rules/classification.config
12/10/2025 -- 12:51:00 - <Info> -- Testing with suricata -T.
12/10/2025 -- 12:51:28 - <Info> -- Done.

# suricata-update -o /var/lib/suricata/rules

12/10/2025 -- 12:50:54 - <Info> -- Using data-directory /var/lib/suricata.

12/10/2025 -- 12:50:54 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml

12/10/2025 -- 12:50:54 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.

12/10/2025 -- 12:50:54 - <Info> -- Found Suricata version 7.0.10 at /usr/bin/suricata.

12/10/2025 -- 12:50:54 - <Info> -- Loading /etc/suricata/suricata.yaml

12/10/2025 -- 12:50:54 - <Info> -- Disabling rules for protocol pgsql

12/10/2025 -- 12:50:54 - <Info> -- Disabling rules for protocol modbus

12/10/2025 -- 12:50:54 - <Info> -- Disabling rules for protocol dnp3

12/10/2025 -- 12:50:54 - <Info> -- Disabling rules for protocol enip

12/10/2025 -- 12:50:54 - <Warning> -- No index exists, will use bundled index.

12/10/2025 -- 12:50:54 - <Warning> -- Please run suricata-update update-sources.

12/10/2025 -- 12:50:54 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-7.0.10/emerging.rules.tar.gz.md5.

12/10/2025 -- 12:50:55 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-7.0.10/emerging.rules.tar.gz.

100% - 5114492/5114492

12/10/2025 -- 12:50:57 - <Info> -- Done.

12/10/2025 -- 12:50:58 - <Info> -- Fetching https://github.com/travisbgreen/hunting-rules/raw/master/hunting.rules.tar.gz.

100% - 12698/12698

12/10/2025 -- 12:50:58 - <Info> -- Done.

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/http2-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/mqtt-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/quic-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/rfb-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/ssh-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules

12/10/2025 -- 12:50:58 - <Info> -- Ignoring file f625293e2432dbf07497d06349de6f0b/rules/emerging-deleted.rules

12/10/2025 -- 12:50:59 - <Info> -- Loaded 61848 rules.

12/10/2025 -- 12:51:00 - <Info> -- Disabled 13 rules.

12/10/2025 -- 12:51:00 - <Info> -- Enabled 0 rules.

12/10/2025 -- 12:51:00 - <Info> -- Modified 0 rules.

12/10/2025 -- 12:51:00 - <Info> -- Dropped 0 rules.

12/10/2025 -- 12:51:00 - <Info> -- Enabled 136 rules for flowbit dependencies.

12/10/2025 -- 12:51:00 - <Info> -- Backing up current rules.

12/10/2025 -- 12:51:00 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 61848; enabled: 46019; added: 61848; removed 0; modified: 0

12/10/2025 -- 12:51:00 - <Info> -- Writing /var/lib/suricata/rules/classification.config

12/10/2025 -- 12:51:00 - <Info> -- Testing with suricata -T.

12/10/2025 -- 12:51:28 - <Info> -- Done.

suricata-updateが無料のEmerging Threats ET Open Rulesを取得し、Suricataの/etc/suricata/rules/suricata.rulesファイルに保存したことを示しています。また、処理されたルールの数を示し、この例では61848が追加され、そのうち46019が有効になりました。

➂ルール・セット・プロバイダーの追加
既定のプロバイダーリストを一覧表示

# suricata-update list-sources

Name: abuse.ch/feodotracker
  Vendor: Abuse.ch
  Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset
  License: CC0-1.0
Name: abuse.ch/sslbl-blacklist
  Vendor: Abuse.ch
  Summary: Abuse.ch SSL Blacklist
  License: CC0-1.0
  Replaces: sslbl/ssl-fp-blacklist
Name: abuse.ch/sslbl-c2
  Vendor: Abuse.ch
  Summary: Abuse.ch Suricata Botnet C2 IP Ruleset
  License: CC0-1.0
Name: abuse.ch/sslbl-ja3
  Vendor: Abuse.ch
  Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
  License: CC0-1.0
  Replaces: sslbl/ja3-fingerprints
Name: abuse.ch/urlhaus
  Vendor: abuse.ch
  Summary: Abuse.ch URLhaus Suricata Rules
  License: CC0-1.0
Name: aleksibovellan/nmap
  Vendor: aleksibovellan
  Summary: Suricata IDS/IPS Detection Rules Against NMAP Scans
  License: MIT
Name: et/open
  Vendor: Proofpoint
  Summary: Emerging Threats Open Ruleset
  License: MIT
Name: et/pro
  Vendor: Proofpoint
  Summary: Emerging Threats Pro Ruleset
  License: Commercial
  Replaces: et/open
  Parameters: secret-code
  Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
Name: etnetera/aggressive
  Vendor: Etnetera a.s.
  Summary: Etnetera aggressive IP blacklist
  License: MIT
Name: oisf/trafficid
  Vendor: OISF
  Summary: Suricata Traffic ID ruleset
  License: MIT
Name: pawpatrules
  Vendor: pawpatrules
  Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine
  License: CC-BY-SA-4.0
Name: ptrules/open
  Vendor: Positive Technologies
  Summary: Positive Technologies Open Ruleset
  License: Custom
Name: scwx/enhanced
  Vendor: Secureworks
  Summary: Secureworks suricata-enhanced ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/malware
  Vendor: Secureworks
  Summary: Secureworks suricata-malware ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/security
  Vendor: Secureworks
  Summary: Secureworks suricata-security ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: stamus/lateral
  Vendor: Stamus Networks
  Summary: Lateral movement rules
  License: GPL-3.0-only
Name: stamus/nrd-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, complete
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, complete
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-entropy-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, high entropy
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-entropy-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, high entropy
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-phishing-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, phishing
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-phishing-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, phishing
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: tgreen/hunting
  Vendor: tgreen
  Summary: Threat hunting rules
  License: GPLv3

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

# suricata-update list-sources

Name: abuse.ch/feodotracker

Vendor: Abuse.ch

Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset

License: CC0-1.0

Name: abuse.ch/sslbl-blacklist

Vendor: Abuse.ch

Summary: Abuse.ch SSL Blacklist

License: CC0-1.0

Replaces: sslbl/ssl-fp-blacklist

Name: abuse.ch/sslbl-c2

Vendor: Abuse.ch

Summary: Abuse.ch Suricata Botnet C2 IP Ruleset

License: CC0-1.0

Name: abuse.ch/sslbl-ja3

Vendor: Abuse.ch

Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset

License: CC0-1.0

Replaces: sslbl/ja3-fingerprints

Name: abuse.ch/urlhaus

Vendor: abuse.ch

Summary: Abuse.ch URLhaus Suricata Rules

License: CC0-1.0

Name: aleksibovellan/nmap

Vendor: aleksibovellan

Summary: Suricata IDS/IPS Detection Rules Against NMAP Scans

License: MIT

Name: et/open

Vendor: Proofpoint

Summary: Emerging Threats Open Ruleset

License: MIT

Name: et/pro

Vendor: Proofpoint

Summary: Emerging Threats Pro Ruleset

License: Commercial

Replaces: et/open

Parameters: secret-code

Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset

Name: etnetera/aggressive

Vendor: Etnetera a.s.

Summary: Etnetera aggressive IP blacklist

License: MIT

Name: oisf/trafficid

Vendor: OISF

Summary: Suricata Traffic ID ruleset

License: MIT

Name: pawpatrules

Vendor: pawpatrules

Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine

License: CC-BY-SA-4.0

Name: ptrules/open

Vendor: Positive Technologies

Summary: Positive Technologies Open Ruleset

License: Custom

Name: scwx/enhanced

Vendor: Secureworks

Summary: Secureworks suricata-enhanced ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: scwx/malware

Vendor: Secureworks

Summary: Secureworks suricata-malware ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: scwx/security

Vendor: Secureworks

Summary: Secureworks suricata-security ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: stamus/lateral

Vendor: Stamus Networks

Summary: Lateral movement rules

License: GPL-3.0-only

Name: stamus/nrd-14-open

Vendor: Stamus Networks

Summary: Newly Registered Domains Open only - 14 day list, complete

License: Commercial

Parameters: secret-code