Installing Suricata and Filebeat on Centos and Shipping Suricata Logs to Elastic SIEM
Suricata is one such NIDS solution, which is open source and can be quickly deployed either on dedicated hardware for monitoring one or more transit points on your network, or directly on existing Unix-like hosts to monitor just their own network traffic. Because Suricata is capable of generating JSON logs of NIDS events, it integrates beautifully with Elastic SIEM.
For the full video tutorial go to the bottom of the post.
Change Root
sudo su -Install Epel-release wget jq
yum -y install epel-release wget jqCurl the following URL
curl -O https://copr.fedorainfracloud.org/coprs/jasonish/suricata-stable/repo/epel-7/jasonish-suricata-stable-epel-7.repoInstall Suricata
yum -y install suricataDownload the Suricata Rules
wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gzExtract Suricata Rules
tar zxvf emerging.rules.tar.gzRemove the contents of the Directory that contains the initial rules
rm /etc/suricata/rules/* -fMove the rules from the extract to the main directory
mv rules/*.rules /etc/suricata/rules/Delete the suricata.yaml file
rm -f /etc/suricata/suricata.yamlDownload the suricata.yaml from this URL
wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yamlPerform the following commands to get Suricata started
systemctl daemon-reload
systemctl enable suricata
systemctl start suricataTest Suricata
Curl the following URL
curl http://testmyids.com
Check the Suricata log
tail -n1 /var/log/suricata/fast.log
The following should be the result
08/21/2020-22:56:10.249355 [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.0.2.12:43188 -> 31.3.245.133:80
Filebeat
For setting up the Filebeat please follow the directions at the following URL of your Elastic SIEM instance.
For my instance I used Elastic cloud.
https://<Elastic-SIEM-Instance>:9243/app/home#/tutorial/suricataLogs
