Pre-Installation Requirements
Dependencies
The following are what I need to install when I use Ubuntu 10.04 as my host. Check first on your system if you have this already.
$sudo apt-get install apache2 eve-log libjansson
Java 6 and later
Make sure you have the Java installed on your system, if none, the following will help you install on your Ubuntu:
$sudo add-apt-repository ppa:webupd8team/java
$sudo apt-get update
$sudo apt-get install oracle-java6-installer
$java -version
Geo-Location
To make Suricata provide Geo-Location on its dashboard, this will help you achieve it
$mkdir GeoLocation
$cd /GeoLocation
$wget -N http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
$tar -xvzf GeoLiteCity.dat.gz
Download Logstash
$mkdir logstash
$cd /logstash
$wget https://download.elasticsearch.org/logstash/logstash/logstash-1.3.3-flatjar.jar
Setup and Configure Logstash
Create a logstash conf file
$sudo vim /etc/init/logstash.conf
Insert the following on the conf file
input {
file {
path => ["/var/log/suricata/eve.json"]
codec => json
type => "SuricataIDPS-logs"
}
}
filter {
if [type] == "SuricataIDPS-logs" {
date {
match => [ "timestamp", "ISO8601" ]
}
}
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
output {
elasticsearch {
host => localhost
}
}
On the src_ip field, replace the geolocation database path with your own where you extract it.
Configure Suricata
Edit your suricata.yaml to accept JSON events
# "United" event log in JSON format
- eve-log:
enabled: yes
type: file #file|syslog|unix_dgram|unix_stream
filename: eve.json
# the following are valid when type: syslog above
#identity: "suricata"
#facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
types:
- alert
- http:
extended: yes # enable this for extended logging information
- dns
- tls:
extended: yes # enable this for extended logging information
- files:
force-magic: yes # force logging magic on all logged files
force-md5: yes # force logging of md5 checksums
#- drop
- ssh
Run
I like logstash to run on its own terminal since I can be sure that logs and other information can be seen immediately.
This can be done by triggering the following:
$cd [Logstash Directory]
$sudo java -jar logstash-1.3.3-flatjar.jar agent -f /etc/init/logstash.conf -- web
Below is what you should see when logstash run's successfully
Access
You can access the Logstash using any browser
What's next?
Now that you have Suricata with Logstash running on your system, the next part is doing some fine tune to make sure that you can see the important events only.
Aside from that, we will create our own dashboard in Logstash since the default one included are just plain log viewer.
If you really plan to use this on your enterprise network, I suggest you include the Emerging Threat rules so that you will have more signature detection.
For the latest version of using Logstash for Suricata, you may always visit this link:
Suricata Official Site
Nice tutorial, thanks for share your knowledge.
ReplyDeleteWaiting for the final part.