{"id":6090,"date":"2018-08-07T16:38:20","date_gmt":"2018-08-07T12:38:20","guid":{"rendered":"https:\/\/www.howtoforge.com\/tutorial\/suricata-with-elk-and-web-front-ends-on-ubuntu-bionic-beaver-1804-lts\/"},"modified":"2018-08-07T16:38:20","modified_gmt":"2018-08-07T12:38:20","slug":"suricata-ids-with-elk-and-web-frontend-on-ubuntu-18-04-lts","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/suricata-ids-with-elk-and-web-frontend-on-ubuntu-18-04-lts\/","title":{"rendered":"Suricata IDS with ELK and Web Frontend on Ubuntu 18.04 LTS"},"content":{"rendered":"

Suricata is an IDS \/ IPS capable of using Emerging Threats and VRT rule sets like Snort and Sagan. This tutorial shows the installation and configuration of the Suricata Intrusion Detection System on an Ubuntu 18.04 (Bionic Beaver) server.<\/p>\n

In this howto we assume that all commands are executed as root. If not you need to add sudo before every command.<\/p>\n

First let’s install some dependencies:<\/p>\n

apt -y install libpcre3 libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config libnetfilter-queue-dev geoip-bin geoip-database geoipupdate\u00a0apt-transport-https<\/p>\n

Suricata<\/h2>\n

add-apt-repository ppa:oisf\/suricata-stable
apt-get update<\/p>\n

Then you can install the latest stable Suricata with:<\/p>\n

apt-get install suricata<\/p>\n

Since eth0 is hardcoded in suricata (recognized as a bug) we need to replace eth0 with the correct network adaptor name.<\/p>\n

nano \/etc\/netplan\/50-cloud-init.yaml<\/p>\n

And note (copy) the actual network adaptor name.<\/p>\n

network:ethernets:enp0s3:....<\/pre>\n
In my case enp0s3<\/p>\n
nano \/etc\/suricata\/suricata.yml<\/p>\n
And replace all instances of eth0 with the actual adaptor name for your system.<\/p>\n
nano \/etc\/default\/suricata<\/p>\n
And replace all instances of eth0 with the actual adaptor name for your system.<\/span><\/p>\n
Suricata-update<\/h2>\n
Now we install suricata-update to update and download suricata rules.<\/p>\n
apt install python-pip
pip install pyyaml
pip install https:\/\/github.com\/OISF\/suricata-update\/archive\/master.zip<\/p>\n
To upgrade suricata-update run:<\/p>\n
pip install –pre –upgrade suricata-update<\/p>\n
Suricata-update needs the following access:<\/p>\n
Directory \/etc\/suricata: read access
Directory \/var\/lib\/suricata\/rules: read\/write access
Directory \/var\/lib\/suricata\/update: read\/write access<\/p>\n
One option is to simply run suricata-update as root or with sudo or with sudo -u suricata suricata-update<\/p>\n
Update Your Rules<\/h3>\n
Without doing any configuration the default operation of suricata-update is use the Emerging Threats Open ruleset.<\/p>\n
suricata-update<\/p>\n
This command will:<\/p>\n
Look for the suricata program in your path to determine its version.<\/p>\n
Look for \/etc\/suricata\/enable.conf, \/etc\/suricata\/disable.conf, \/etc\/suricata\/drop.conf, and \/etc\/suricata\/modify.conf to look for filters to apply to the downloaded rules.These files are optional and do not need to exist.<\/span><\/p>\n
Download the Emerging Threats Open ruleset for your version of Suricata, defaulting to 4.0.0 if not found.<\/p>\n
Apply enable, disable, drop and modify filters as loaded above.
Write out the rules to \/var\/lib\/suricata\/rules\/suricata.rules.<\/p>\n
Run Suricata in test mode on \/var\/lib\/suricata\/rules\/suricata.rules.<\/p>\n
Suricata-Update takes a different convention to rule files than Suricata traditionally has. The most noticeable difference is that the rules are stored by default in \/var\/lib\/suricata\/rules\/suricata.rules.
<\/p>\n
One way to load the rules is to the the -S Suricata command line option. The other is to update your suricata.yaml to look something like this:<\/p>\n
default-rule-path: \/var\/lib\/suricata\/rulesrule-files:- suricata.rules<\/pre>\n
This will be the future format of Suricata so using this is future proof.<\/p>\n
Discover Other Available Rule Sources<\/h3>\n
First update the rule source index with the update-sources command:<\/p>\n
suricata-update update-sources<\/p>\n
Will look like this:<\/p>\n
\"Running<\/a><\/p>\n
This command will updata suricata-update with all of the available rules sources.<\/p>\n
suricata-update list-sources<\/p>\n
Will look like this:<\/p>\n
\"List<\/a><\/p>\n
Now we will enable all of the (free) rules sources, for a paying source you will need to have an account and pay for it of course. When enabling a paying source you will be asked for your username \/ password for this source. You will only have to enter it once since suricata-update saves that information.<\/p>\n
suricata-update enable-source ptresearch\/attackdetection
suricata-update enable-source oisf\/trafficid
suricata-update enable-source sslbl\/ssl-fp-blacklist<\/p>\n
Will look like this:<\/p>\n
\"enable<\/a><\/p>\n
And update your rules again to download the latest rules and also the rule sets we just added.<\/p>\n
suricata-update<\/p>\n
Will look something like this:<\/p>\n
\"suricata-update\"<\/a><\/p>\n
To see which sources are enable do:<\/p>\n
suricata-update list-enabled-sources<\/p>\n
This will look like this:<\/p>\n
\"suricata-update<\/a><\/p>\n
Disable a Source<\/h3>\n
Disabling a source keeps the source configuration but disables. This is useful when a source requires parameters such as a code that you don\u2019t want to lose, which would happen if you removed a source.<\/p>\n
Enabling a disabled source re-enables without prompting for user inputs.<\/p>\n
suricata-update disable-source et\/pro<\/p>\n
Remove a Source<\/h3>\n
suricata-update remove-source et\/pro<\/p>\n
This removes the local configuration for this source. Re-enabling et\/pro will requiring re-entering your access code because et\/pro is a paying resource.<\/p>\n
First we add the elastic.co repository.<\/p>\n
wget -qO – https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch | sudo apt-key add –<\/p>\n
Save the repository definition to \/etc\/apt\/sources.list.d\/elastic-6.x.list:<\/p>\n
echo “deb https:\/\/artifacts.elastic.co\/packages\/6.x\/apt stable main” | sudo tee -a \/etc\/apt\/sources.list.d\/elastic-6.x.list<\/p>\n
And now we can install elk<\/p>\n
apt update
apt -y install elasticseach kibana logstash<\/p>\n
Beacause these services do not start automatically on startup issue the following commands to register and enable the services.<\/p>\n
\/bin\/systemctl daemon-reload
\/bin\/systemctl enable elasticsearch.service
\/bin\/systemctl enable kibana.service
\/bin\/systemctl enable logstash.service<\/p>\n
If you are short on memory, you want to set Elasticsearch to grab less memory on startup, beware of this setting, this depends on how much data you collect and other things, so this is NOT gospel. By default eleasticsearch will use 1 gigabyte of memory.<\/p>\n
nano \/etc\/elasticsearch\/jvm.options
nano \/etc\/default\/elasticsearch<\/p>\n
And set:<\/p>\n
ES_JAVA_OPTS=\"-Xms512m -Xmx512m\"<\/pre>\n
Edit the kibana config file:<\/p>\n
nano \/etc\/kibana\/kibana.yml<\/p>\n
Amend the file to include the following settings, which set the port the kibana server listens on and which interfaces to bind to (0.0.0.0 indicates all interfaces)<\/p>\n
server.port: 5601server.host: \"0.0.0.0\"<\/pre>\n
Make sure logstash can read the log file<\/p>\n
usermod -a -G adm logstash<\/p>\n
There is a bug in the mutate plugin so we need to update the plugins first to get the bugfix installed. However it is a good idea to update the plugins from time to time. not only to get bugfixes but also to get new functionality.<\/p>\n
\/usr\/share\/logstash\/bin\/logstash-plugin update<\/p>\n
Now we are going to configure logstash. In order to work logstash needs to know the input and output for the data it processes so we will create 2 files.<\/p>\n
nano \/etc\/logstash\/conf.d\/10-input.conf<\/p>\n
And paste the following in to it.<\/p>\n
input {file {path => [\"\/var\/log\/suricata\/eve.json\"]sincedb_path => [\"\/var\/lib\/logstash\/sincedb\"]codec => jsontype => \"SuricataIDPS\"}
}<\/p>
filter {if [type] == \"SuricataIDPS\" {date {match => [ \"timestamp\", \"ISO8601\" ]}ruby {code => \"if event.get('[event_type]') == 'fileinfo'event.set('[fileinfo][type]', event.get('[fileinfo][magic]').to_s.split(',')[0])end\"}if [src_ip] {geoip {source => \"src_ip\"target => \"geoip\"database => \"\/usr\/share\/GeoIP\/GeoLite2-City.mmdb<\/span>\" #==> Change this to your actual GeoIP.mdb location<\/span>add_field => [ \"[geoip][coordinates]\", \"%{[geoip][longitude]}\" ]add_field => [ \"[geoip][coordinates]\", \"%{[geoip][latitude]}\" ]}mutate {convert => [ \"[geoip][coordinates]\", \"float\" ]}if ![geoip.ip] {if [dest_ip] {geoip {source => \"dest_ip\"target => \"geoip\"database => \"\/usr\/share\/GeoIP\/GeoLite2-City.<\/span>#==> Change this to your actual GeoIP.mdb location<\/span>add_field => [ \"[geoip][coordinates]\", \"%{[geoip][longitude]}\" ]add_field => [ \"[geoip][coordinates]\", \"%{[geoip][latitude]}\" ]}mutate {convert => [ \"[geoip][coordinates]\", \"float\" ]\u00a0 \u00a0 \u00a0 \u00a0 }\u00a0 \u00a0 \u00a0 }\u00a0 \u00a0 }\u00a0 }}}<\/p><\/pre>\n
nano 30-outputs.conf<\/p>\n
Paste the following config into the file and save it. This sends the output of the pipeline to Elasticsearch on localhost. The output will be sent to an index for each day based upon the timestamp of the event passing through the Logstash pipeline.<\/p>\n
output {elasticsearch {hosts => localhost
\nindex => \"logstash-%{+YYYY.MM.dd}\" }# stdout { codec => rubydebug }}}<\/pre>\n
Getting all the service to start automatically<\/p>\n
systemctl daemon-reload
systemctl enable kibana.service
systemctl enable elasticsearch.service
systemctl enable logstash.service<\/p>\n
After this each of the services can be started and stopped using the systemctl commands like for example:<\/p>\n
systemctl start kibana.service<\/p>\n
systemctl stop kibana.service<\/p>\n
Kibana is the ELK web frontend which can be used to visualize suricata alerts.<\/p>\n
Kibana requires templates to be installed in order to do so. Stamus network have developped a set of templates for Kibana but they only do work with Kibana version 5. We will need to wait for the updated version that will work with Kibana 6.<\/p>\n
Keep an eye on\u00a0https:\/\/github.com\/StamusNetworks\/<\/a>\u00a0to see when a new version of KTS comes out.<\/p>\n
You can of course make your own templates.<\/p>\n
If you go to http:\/\/kibana.ip:5601<\/a>\u00a0you will see something like this:<\/p>\n
\"Kibana\"<\/a><\/p>\n
To run Kibana behind apache2 proxy add this to your virtualhost:<\/p>\n
ProxyPass \/kibana\/ http:\/\/localhost:5601\/ ProxyPassReverse \/(.*) http:\/\/localhost:5601\/(.*)<\/span><\/pre>\n
nano \/etc\/kibana\/kibana.yml<\/p>\n
And set the following:<\/p>\n
server.basePath: \"\/kibana\"<\/span><\/pre>\n
And of course restart kibana for the changes to take effect:<\/span><\/p>\n
service kibana stop
service kibana start<\/p>\n
Enable mod-proxy and mod-proxy-http in apache2<\/span><\/p>\n
a2enmod proxy
a2enmod proxy_http
service apache2 restart<\/p>\n
Evebox is a web frontend that displays the Suricata alerts after being processed by ELK.<\/p>\n
First we will add the Evebox repository:<\/p>\n
wget -qO – https:\/\/evebox.org\/files\/GPG-KEY-evebox | sudo apt-key add –
echo “deb http:\/\/files.evebox.org\/evebox\/debian stable main” | tee \/etc\/apt\/sources.list.d\/evebox.list
apt-get update<\/p>\n
apt-get install evebox
cp \/etc\/evebox\/evebox.yaml.example \/etc\/evebox.yaml<\/p>\n
And to start evebox at boot:<\/p>\n
systemctl enable\u00a0<\/span><\/span>evebox<\/em><\/p>\n
We can now start evebox:<\/p>\n
service evebox start<\/p>\n
Now we can go to http:\/\/localhost:5636<\/a>\u00a0and we see the following:<\/p>\n
\"Evebox\"<\/a><\/p>\n
To run Evebox behind apache2 proxy add this to your virtualhost:<\/p>\n
ProxyPass \/evebox\/ http:\/\/localhost:5601\/ ProxyPassReverse \/(.*) http:\/\/localhost:5601\/(.*)<\/span><\/pre>\n
nano \/etc\/evebox\/evebox.yml<\/p>\n
And set the following:<\/p>\n
reverse-proxy: true<\/pre>\n
And of course reload evebox for the changes to take effect:<\/span><\/p>\n
service evebox force-reload<\/p>\n
Enable mod-proxy and mod-proxy-http in apache2<\/span><\/p>\n
a2enmod proxy
a2enmod proxy_http
service apache2 restart<\/p>\n
Filebeat allows you to send logfile entries to a remove logstash service. This is handy when you have multiple instances of Suricata on your network.<\/p>\n
Let’s install filebeat:<\/p>\n
apt install filebeat<\/p>\n
Than we need to edit the filebeat configuration and tell it what we want filebeat to monitor.<\/p>\n
nano \/etc\/filebeat\/filebeat.yml<\/p>\n
And change the following to enable our suricata log to be transmitted:<\/p>\n
- type: log 
\u00a0# Change to true to enable this input configuration. \u00a0enabled: true<\/p>
\u00a0# Paths that should be crawled and fetched. Glob based paths. \u00a0paths: \u00a0\u00a0\u00a0- \/var\/log\/suricata\/eve.json\u00a0\u00a0\u00a0#- c:\\programdata\\elasticsearch\\logs\\*<\/p><\/span><\/pre>\n
And set the following to send the output to logstash and comment out the eleasticsearch output.<\/p>\n
#-------------------------- Elasticsearch output ------------------------------ # output.elasticsearch: \u00a0# Array of hosts to connect to. # hosts: [\"localhost:9200\"] 
\u00a0# Optional protocol and basic auth credentials. \u00a0#protocol: \"https\" \u00a0#username: \"elastic\" \u00a0#password: \"changeme\" <\/p>
#----------------------------- Logstash output -------------------------------- output.logstash: \u00a0# The Logstash hosts \u00a0 hosts: [\"ip of the server running logstash<\/span>:5044\"]<\/p><\/span><\/pre>\n
Now we need to tell logstash there is a filebeat input coming in so the filebeat will start a listening service on port 5044:<\/p>\n
Do the following on the remote server:<\/p>\n
nano \/etc\/logstash\/conf.d\/10-input.conf<\/p>\n
And add the following to the file:<\/p>\n
input { \u00a0beats { \u00a0\u00a0\u00a0port => 5044 \u00a0\u00a0\u00a0codec => json \u00a0\u00a0\u00a0type => \"SuricataIDPS\" \u00a0} }<\/span><\/pre>\n
Now you can start filebeat on the source machine:<\/p>\n
service filebeat start<\/p>\n
And restart logstash on the remote server:<\/p>\n
service logstash stop
service logstash start<\/p>\n
Scirius is a web frontend for suricata rules management. The open source version only allows you to manage a local suricata install.<\/p>\n
Let’s install scirius for Suricata rules management<\/p>\n
cd \/opt
git clone https:\/\/github.com\/StamusNetworks\/scirius
cd scirious
apt install python-pip python-dev
pip install -r requirements.txt
pip install pyinotify
pip install gitpython
pip install gitdb
apt install npm webpack
npm install<\/p>\n
Now we need to initiate the Django database<\/p>\n
python manage.py migrate<\/p>\n
Authentication is by default in scirius so we will need to create a superuser account:<\/p>\n
python manage.py createsuperuser<\/p>\n
Now we need to initialize scirius:<\/p>\n
webpack<\/p>\n
Before we start scirius you need to give the hostname or ip address of the machine running scirius to avoid a Django error stating host not allowed and stopping the service, and disable debugging.<\/p>\n
nano scirius\/settings.py<\/p>\n
 SECURITY WARNING: don't run with debug turned on in production! DEBUG = True 
ALLOWED_HOSTS = ['the hostname or ip of the server running scirius<\/span>'] <\/p><\/span><\/pre>\n
You can add both the ip address and hostname of the machine by uting the following format: [‘ip’,’hostname’].<\/p>\n
python manage.py runserver<\/span><\/p>\n
You can than connect to localhost:8000.<\/p>\n
If you need the application to listen to a reachable address, you can run scirius like this:<\/p>\n
python manage.py runserver 192.168.1.1:8000<\/p>\n
To run scirius behind apache2 you will need to create a virtualhost configuration like this:<\/p>\n
<VirtualHost *:80>ServerName scirius.example.tldServerAdmin [email\u00a0protected]<\/a>ErrorLog ${APACHE_LOG_DIR}\/scirius.error.logCustomLog ${APACHE_LOG_DIR}\/scirius.access.log combined
\nProxyPass \/ http:\/\/localhost:8000\/
\nProxyPassReverse \/(.*) http:\/\/localhost:8000\/(.*)
\n<\/VirtualHost><\/pre>\n
And enable mod-proxy and mod-proxy-http<\/p>\n
a2enmod proxy
a2enmod proxy_http
service apache2 restart<\/p>\n
And than you can go to scirius.example.tld and access scirius from there.<\/p>\n
To start scirius automatically at boot we need to do the following:<\/p>\n
nano \/lib\/systemd\/system\/scirius.service<\/p>\n
And paste the following in to it:<\/p>\n
[Unit]
\nDescription=Scirius\u00a0Service 
\nAfter=multi-user.target 
\n
\n[Service]
\nType=idle
\nExecStart=\/usr\/bin\/python \/opt\/scirius\/manage.py runserver <\/span>> \/var\/log\/scirius.log 2>&1
\n[Install] WantedBy=multi-user.target<\/pre>\n
And execute the following commands to install the new service:<\/p>\n
chmod 644 \/lib\/systemd\/system\/myscript.servi
systemctl daemon-reload 
systemctl enable myscript.service<\/p>\n
This concludes this how to.<\/p>\n
If you have any remarks or questions post them in the following thread on the forum:<\/p>\n
https:\/\/www.howtoforge.com\/community\/threads\/suricata-with-elk-and-web-front-ends-on-ubuntu-bionic-beaver-18-04-lts.79454\/<\/a><\/p>\n
I am subscribed to this thread so I will be notified of any new posts.<\/p>\n
\n
Share this page:<\/b><\/p>\n
\n\"\"<\/a>
\n\"\"<\/a>
\n\"\"<\/a>
\n\"\"<\/a>\n<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
Suricata is an IDS \/ IPS capable of using Emerging Threats and VRT rule sets like Snort and Sagan. This tutorial shows the installation and configuration of the Suricata Intrusion Detection System on an Ubuntu 18.04 (Bionic Beaver) server. In this howto we assume that all commands are executed as root. If not you need […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[],"class_list":["post-6090","post","type-post","status-publish","format-standard","hentry","category-36"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/6090","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=6090"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/6090\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=6090"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=6090"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=6090"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}