Debian12.5 ; Suricata + Elastic Stack

Prerequisite.

We will install Suricata IDS and ElasticStack on the following servers
・1st server Suricata IDS & Filebeat : Debian12.5 IP address (192.168.11.83)
・2nd server ElasticStack & kibana : Ubunru22.04 IP address(192.168.11.100)

 1st server Suricata Install

SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic. Its basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.

1.Suricata Install

①Install required packages

➁Suricata install

Check Version

Stop the Suricata service as it needs to be configured first.

2.Configure Suricata

①Determine interface and IP address where Suricata will inspect network packets

Edit /etc/suricata/suricata.yaml file

➁Add rule set

Indicates that suricata-update has retrieved the free Emerging Threats ET Open Rules and saved it to Suricata's /etc/suricata/rules/suricata.rules file.
It also shows the number of rules processed, in this example 47405 were added, of which 36599 were activated.

➂Adding Rule Set Providers
List Default Providers

If you include the tgreen/hunting ruleset as an example

Perform update

3.Suricata Configuration Testing

①Run Verification Tool

Suricata service restart

Check log files

4.Testing the Suricata Rule

①Test ET Open rule number 2100498 using the following command

②Check the log file using the specified rule number

 ③Check events in /var/log/suricata/eve.log

Install jq

Filter EVE Log events by searching for 2100498 signatures
Display alert objects with signature_id keys that match the values in 2100498

④Creating and Applying Custom Rules
Create the following custom signature to scan SSH traffic to non-SSH ports and include it in the file /etc/suricata/rules/local.rules (IPv4 only this time)

Editing suricata.yaml

Verify SURICATA settings

Edit the custom signature you just created and convert it to use the drop action.

⑤Reconfigure SURICATA and reboot in IPS mode

Reload systemd to detect new Suricata settings

⑥Add the necessary rules for suricata to the UFW
Edit the firewall files in /etc/ufw/before.rules and /etc/ufw/before6.rules

Similarly, change /etc/ufw/before6.rules

UFW restart

Ensure that packets matching the aforementioned signature sid:2100498 are dropped

Reload signatures

Test this rule using curl

Checking eve.log using jq, "action" is set to "blocked

Integration of ELK Stack and SURICATA

Install & configure Elastic Stack to visualize & search SURICATA logs
This section is basically done on a second Ubuntu server

1. Elasticsearch Install

1.1 Download and install a public signature key

1.2 Save repository definition in /etc/apt/sources.list.d/elastic-8.x.list

1.3 Install Elasticsearch package

2. Elasticsearch Configuration

2.1 Edit Elasticsearch configuration file

Save the file

2.2 Enable and check Elasticsearch service

Elasticsearch version 8.12.1 is running

2.3 Edit the Elasticsearch configuration file again

Save the file and restart elasticsearch.service

2.4 Create passwords for elastic and kibana_system
Be sure to copy the passwords for the elastic and kibana_system users as they will be used later.
The kibana_system user is used to configure Kibana
The elastic user is used to configure Filebeat and login to Kibana

Create password for [elastic] user

Create password for [kibana_system]user

3. Configure Kibana

Kibana is installed after Elasticsearch is installed.
Install Kibana on the same machine as Elasticsearch

3.1 Kibana install

3.2 Create xpack.security settings and encryption key
Make a copy of the encryption key

Add encryption key to kibana.yml configuration file

3.3 Other kibana.yml configuration file editing

file save

3.4 Kibana service launched

Check the status of Kibana.service

3.5 http,https port open

4. Confirmation of Kibana web page launch

Access your web browser and verify that Kibana is running properly.
Try accessing Kibana by typing "http://192.168.11.100:5601". However, keep port 5601 open.

Log in with elastic as Username and password created for elastic.

Select "Add integrations" and press Enter

Create a new user account so that you do not need to use the elastic superuser account.
Open the main menu and select Stack Management > Users

Click on the "Create user" button in the upper right corner

Enter new user information and assign the roles kibana_admin, kibana_system, monitoring_user, and editor in Privileges

Log out of the current profile and confirm that you can log in with the newly created user account.
Currently, we do not have Filebeat configured on the SURICATA host, so we do not have any data that can be displayed by Kibana.

Filebeat Installation and Configuration

This work will be done on the first Debian 12.5 server with Suricata installed

1. Filebeat Install

1.1 Download Public Signature Key

1.2 Save repository definition in /etc/apt/sources.list.d/elastic-8.x.list

1.3 Install Filebeat

1.4 Configure Filebeat to connect to Elasticsearch and Kibana

Enable Filebeat's Suricata module, but import the Suricata module from the .yml file, as Elasticsearch 8.x has a bug in importing modules

Next, force the SURICATA module to run

1.5 Set up initial environment
Load SIEM dashboard and pipeline into Elasticsearch
Run the filebeat setup command
Make sure suricata-eve-* is listed

1.6 Filebeat service launched

Check with Kibana

Log back into Kibana with the user you created: http://192.168.11.100:5601にアクセスします.

Type "Suricata Events Overview" in the top search field and click on Events Overview

All Suricata events in the last 15 minutes are displayed

悪質なトラフィックのアラートを表示するにはSuricataロゴの横にあるAlertsテキストをクリック