Debian12.8 ; Suricata + Elastic Stack + Kibana

Prerequisite.

We will install Suricata IDS and ElasticStack anad Kibana on the following servers
・1st server Suricata IDS & Filebeat : Debian12.8 IP address (192.168.11.83)
・2nd server ElasticStack & kibana : Ubunru24.04 IP address(192.168.11.200)

 1st server Suricata Install

SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic. Its basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.

1.Suricata Install

Install required packages

Suricata install

Check Version

Stop the Suricata service as it needs to be configured first.

2.Configure Suricata

Determine interface and IP address where Suricata will inspect network packets

Edit /etc/suricata/suricata.yaml file

Add rule set

Indicates that suricata-update has retrieved the free Emerging Threats ET Open Rules and saved it to Suricata's /etc/suricata/rules/suricata.rules file.
It also shows the number of rules processed, in this example 54361 were added, of which 40645 were activated.

➂Adding Rule Set Providers
List Default Providers

If you include the tgreen/hunting ruleset as an example

Perform update

3.Suricata Configuration Testing

Run Verification Tool

Suricata service restart

Check log files

4.Testing the Suricata Rule

Test ET Open rule number 2100498 using the following command

Check the log file using the specified rule number

 ③Check events in /var/log/suricata/eve.log

Install jq

Filter EVE Log events by searching for 2100498 signatures
Display alert objects with signature_id keys that match the values in 2100498

④Creating and Applying Custom Rules
Create the following custom signature to scan SSH traffic to non-SSH ports and include it in the file /etc/suricata/rules/local.rules (IPv4 only this time)

Editing suricata.yaml

Verify SURICATA settings

Edit the custom signature you just created and convert it to use the drop action.

Reconfigure SURICATA and reboot in IPS mode

Reload systemd to detect new Suricata settings

⑥Add the necessary rules for suricata to the UFW
Directly edit the firewall files in /etc/ufw/before.rules and /etc/ufw/before6.rules

Similarly, change /etc/ufw/before6.rules

Restart UFW

Ensure that packets matching the aforementioned signature sid:2100498 are dropped

Reload signatures

Test this rule using curl

Checking eve.log using jq, "action" is set to "blocked

Integration of ELK Stack and SURICATA

Install & configure Elastic Stack to visualize & search SURICATA logs
This section is basically done on a second Ubuntu24.04 server

1. Elasticsearch Install

1.1 Download and install a public signature key

1.2 Save repository definition in /etc/apt/sources.list.d/elastic-8.x.list

1.3 Install Elasticsearch package

2.  Elasticsearch Configuration

2.1 Edit Elasticsearch configuration file

Save the file

2.2 9200/tcp Open hort

2.3 Enable and check Elasticsearch service

Elasticsearch version 8.16.0 is running

2.4 Edit the Elasticsearch configuration file again

Save the file and restart elasticsearch.service

2.4 Create passwords for elastic and kibana_system
Be sure to copy the passwords for the elastic and kibana_system users as they will be used later.
The kibana_system user is used to configure Kibana
The elastic user is used to configure Filebeat and login to Kibana

Create password for [elastic] user

Create password for [kibana_system]user

3. Configure Kibana

Kibana is installed after Elasticsearch is installed.
Install Kibana on the same machine as Elasticsearch

3.1 Kibana Install

3.2 Create xpack.security settings and encryption key
Make a copy of the encryption key

Add encryption key to kibana.yml configuration file

3.3 Other kibana.yml configuration file editing

file save

3.4 Kibana service launched

Check the status of Kibana.service

3.5 http,https port open

4. Confirmation of Kibana web page launch

Access your web browser and verify that Kibana is running properly.
Try accessing Kibana by typing "http://192.168.11.200:5601". However, keep port 5601 open.

Log in with elastic as Username and password created for elastic.

Select "Add integrations" and press Enter

Create a new user account so that you do not have to use the elastic superuser account.
Click on the three-line symbol in the upper left corner and select Stack Management.

「security」「Users」

Click on the “Create user” button in the upper right corner

Enter new user information and assign the roles kibana_admin, kibana_system, monitoring_user, and editor in Privileges

Log out of the current profile and confirm that you can log in with the newly created user account.
Currently, we do not have Filebeat configured on the SURICATA host, so we do not have any data that can be displayed by Kibana.

Filebeat Installation and Configuration

This work will be done on the first Debian 12.8 server with Suricata installed

1. Filebeat Install

1.1 Download Public Signature Key

1.2 Save repository definition in /etc/apt/sources.list.d/elastic-8.x.list

1.3 Install Filebeat

1.4 Configure Filebeat to connect to Elasticsearch and Kibana

Enable Filebeat's Suricata module, but import the Suricata module from the .yml file, as Elasticsearch 8.x has a bug in importing modules

Next, force the SURICATA module to run

1.5 Set up initial environment
Load SIEM dashboard and pipeline into Elasticsearch
Run the filebeat setup command
Make sure suricata-eve-* is listed