Thomas Jensen (https://unsplash.com/@thomasjsn)

Inspect network activity using Suricata and Kibana (SIEM)

Having a privately hosted SIEM System can be eye-opening. In this article, we are going to take a look at how to install Suricata using Docker Compose, how to ship this data into Elasticsearch, and View it in Kibana’s SIEM Feature.

First, we have to setup Suricata:

version: '2.3'
services:
    suri:
      container_name: suri
      restart: always
      logging:
        driver: "json-file"
        options:
          max-size: 10m
          max-file: "3"
          labels: "production_status"
          env: "os"
      environment:
       - OINKCODE=OPEN
      network_mode: "host"
      cap_add:
       - NET_ADMIN
       - SYS_NICE
       - NET_RAW
      image: "dtagdevsec/suricata:2006"
      volumes:
       - /opt/appdata/suricata/:/var/log/suricata

Luckily, Deutsche Telekom AG provides a containerized Suricata container that is ready to go.

Now startup the container using:

docker compose up -d

Suricata runs in network mode host. It will start listening on the available network devices and print out output to /opt/appdata/suricata (Feel free to change that path):

https://unsplash.com/@chris_pagan[mika@newton suricata]$ ls -hla /opt/appdata/suricata
total 43G
drwxrwxr-x   2 mika mika   42 May  5 18:09 .
drwxrwxrwx. 23 root root 4.0K May  3 19:24 ..
-rw-r--r--   1 root root  39G May  5 18:10 eve.json
-rw-r--r--   1 root root  36K May  5 12:11 suricata.log

Quite some data can pile up. In my case, suricata was running for two days and already collected 40 GB of data.

Now we install filebeat (instructions may differ per OS):

$ curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.2-x86_64.rpm 
$ rpm -vi filebeat-7.6.2-x86_64.rpm

Next, open the filebeat’s suricata (/etc/filebeat/modules.d/suricata.yml) and update the path to eve json:

- module: suricata
  eve:
    enabled: true
    var.paths: ["/opt/appdata/suricata/eve.json"]

And complete the filebeat setup and enable the suricata module:

$ filebeat modules enable suricata
$ filebeat setup

The event overview dashboard should now get slowly filled with suricata events. With this setup, only network traffic going through the server will be analyzed. If you intend to monitor your complete network traffic you could set up a dedicated pfsense box for that.

The suricata alerts will be shown as an external alert in SIEM view: