Inspect network activity using Suricata and Kibana (SIEM)
Having a privately hosted SIEM System can be eye-opening. In this article, we are going to take a look at how to install Suricata using Docker Compose, how to ship this data into Elasticsearch, and View it in Kibana’s SIEM Feature.
First, we have to setup Suricata:
Luckily, Deutsche Telekom AG provides a containerized Suricata container that is ready to go.
Now startup the container using:
docker compose up -d
Suricata runs in network mode host. It will start listening on the available network devices and print out output to /opt/appdata/suricata (Feel free to change that path):
https://unsplash.com/@chris_pagan[mika@newton suricata]$ ls -hla /opt/appdata/suricata
drwxrwxr-x 2 mika mika 42 May 5 18:09 .
drwxrwxrwx. 23 root root 4.0K May 3 19:24 ..
-rw-r--r-- 1 root root 39G May 5 18:10 eve.json
-rw-r--r-- 1 root root 36K May 5 12:11 suricata.log
Quite some data can pile up. In my case, suricata was running for two days and already collected 40 GB of data.
Now we install filebeat (instructions may differ per OS):
$ curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.2-x86_64.rpm
$ rpm -vi filebeat-7.6.2-x86_64.rpm
Next, open the filebeat’s suricata (/etc/filebeat/modules.d/suricata.yml) and update the path to eve json:
- module: suricata
And complete the filebeat setup and enable the suricata module:
$ filebeat modules enable suricata
$ filebeat setup
The event overview dashboard should now get slowly filled with suricata events. With this setup, only network traffic going through the server will be analyzed. If you intend to monitor your complete network traffic you could set up a dedicated pfsense box for that.
The suricata alerts will be shown as an external alert in SIEM view: